Data authentication system

ABSTRACT

A data processing apparatus a data processing method efficiently ascertain that data are valid, prevent encryption processing key data from leaking, eliminate illegal use of contents data, restrict contents utilization, apply a different plurality of data formats to contents and efficiently execute reproduction processing of compressed data. The verification process of partial data is executed by collating the integrity partial data as check values for a combination of partial data of a content, and the verification process of the entirety of the combination of partial data is executed by collating partial-integrity-check-value-verifying integrity check values that verify the combination of the partial integrity check values. Master keys to generate individual keys necessary for a process of such as data encryption are stored in the storage section and keys are generated as required. An illegal device list is stored in the header information of a content and referred to when data is used. Keys specific to a data processing apparatus and common keys are stored and the keys are selectively used according to the content use restriction. Plural content blocks are coupled, and at least a part of the content blocks is applied to an encryption process by an encryption key Kcon, then encryption key data that is the encryption key Kcon encrypted by an encryption key Kdis is stored in the header section. A content data is made of compression data and an expansion processing program or a combination of types of compression programs and the reproducing apparatus can determine an expansion program applicable to a compressed content.

TECHNICAL FIELD

[0001] The present invention relates to a data processing apparatus, adata processing method, and more particularly, to a method and apparatusfor verifying that data constituting a data content are valid, that is,checking whether or not the data have been tampered, as well as a methodfor imparting verification values, and also to an apparatus and a methodcapable of enhancing security by generating individual keys necessaryfor encryption processing using master keys corresponding to theirrespective individual keys. Moreover the present invention provides aconfiguration that eliminates illegal usage of contents data or morespecifically, relates to an apparatus and a method capable ofidentifying illegal reproduction devices and eliminate illegal use ofcontents. Furthermore, the present invention relates to an apparatus anda method capable of easily setting contents only available to the dataprocessing apparatus using contents data and contents data alsoavailable to other data processing apparatuses based on informationspecific to the data processing apparatus, etc. Still further, thepresent invention relates to a method, apparatus and verification valueassignment method for verifying the validity of data configuring datacontents, that is, verifying the presence or absence of tampering.

[0002] Furthermore, the present invention relates to a data processingapparatus, a content data generating method, and a data processingmethod that realizes a content data configuration enabling to provideand utilize content data under a high security management in aconfiguration in which data including at least any one of voiceinformation, image information and program data is applied encryptionprocessing, the data is provided to a content user together with variouskinds of header information, and the content user performs reproduction,execution, or storing processing in a recording device.

[0003] Still further, the present invention relates to a data processingapparatus, a data processing method and a content data generating methodfor providing a configuration for efficiently executing reproductionprocessing in the case in which data contents are compressed voice data,image data or the like, and more specifically for enabling to have aconfiguration of the content data in which compressed data and anexpansion processing program are combined, retrieve and extract anapplicable expansion processing program based on header information ofcompressed data contents in which an applied expansion processingprogram is stored as header information to execute reproductionprocessing.

[0004] Further yet, the present invention relates a configuration andmethod for reproducing various contents such as sounds, images, games,or programs which are available through recording media such as DVDs orCDs or wire or radio communication means such as CATV, the Internet, orsatellite communication, in a recording and reproducing device owned bya user and storing the contents in an exclusive recording device, forexample, a memory card, a hard disk, or a CD-R, realizing aconfiguration for imposing use limitations desired by a contentdistributor when a content stored in the recording device is used, andproviding security such that the distributed content will not beillegally used by a third person other than regular users.

BACKGROUND ART DESCRIPTION OF THE RELATED ART

[0005] Various data such as game programs, sound data, image data, ordocumenting programs (these are hereafter referred to as “contents”) arenow distributed via a network such as the Internet or via distributablestorage media such as DVDs or CDs. These distributed contents can bestored in a recording device such as a memory card or a hard disk whichis attached to a recording and reproducing apparatus such as a PersonalComputer (PC) or a game apparatus that is owned by a user so that oncestored, the contents can be reproduced from the storage media.

[0006] Main components of a memory card used in a conventionalinformation apparatus such as a video game apparatus or a PC include aconnection means for controlling operations, a connector for connectionto a slot connected to the connection means and formed in theinformation apparatus, a non-volatile memory connected to the controlmeans for storing data, and others. The non-volatile memory provided inthe memory card comprises an EEPROM, a flash memory, or the like.

[0007] Various contents such as data or programs that are stored in thememory card are invoked from the non-volatile memory in response to auser's command from an information apparatus main body such as a gameapparatus or a PC which is used as a reproduction apparatus or to auser's command provided via a connected input means, and are reproducedfrom the information apparatus main body or from a display, speakers, orthe like which are connected thereto.

[0008] Many software contents such as game programs, music data, orimage data generally have their distribution rights held by theircreators or sellers. Thus, in distributing these contents, aconfiguration is generally used which places specified limitations onthe usage; that is, the use of software is permitted only for regularusers so as to prevent unauthorized copying or the like; that is,security is taken into consideration.

[0009] One method for realizing limitations on the use by a user is aprocess for encrypting a distributed content. This process comprises ameans for distributing various contents such as sound data, image data,or game programs which are encrypted, for example, via the Internet anddecrypting a distributed encrypted content only for people confirmed tobe regular users, the means corresponding to a configuration forimparting a decryption key.

[0010] Encrypted data can be returned to available decrypted data (plaintext) obtained by a decryption process based on a predeterminedprocedure. Such a data encrypting and decrypting method that uses anencryption key for an information encrypting process while using adecryption key for such a decryption process is conventionally known.

[0011] There are various types of aspects of data encrypting anddecrypting methods using an encryption key and a decryption key; anexample is what is called a common key cryptosystem. The common keycryptosystem uses a common encryption key used for a data encryptingprocess and a common decryption key used for a data decrypting processand imparts these common keys used for the encryption and decryptionprocesses, to regular users while excluding data accesses by illegalusers that have no key. A representative example of this cryptosystem isthe DES (Data Encryption Standard).

[0012] The encryption and decryption keys used for the encryption anddecryption processes are obtained, for example, by applying a one-wayfunction such as a hash function based on a password or the like. Theone-way function makes it difficult to determine its input from itsoutput. For example, a password decided by a user is used as an input toapply a one-way function so as to generate an encryption and adecryption keys based on an output from the function. Determining fromthe thus obtained encryption and decryption keys, the password, which isthe original data for the keys, is substantially impossible.

[0013] In addition, a method called a “public key cryptosystem” usesdifferent algorithms for a process based on an encryption key used forencryption and for a process based on a decryption key used fordecryption. The public key cryptosystem uses a public key available tounspecified users so that an encrypted document for a particularindividual is decrypted using a public key issued by this particularuser. The document encrypted with the public key can only be decryptedwith a secret key corresponding to the public key used for thedecryption process. Since the secret key is owned by the individual thathas issued the public key, the document encrypted with the public keycan be decrypted only by individuals having the secret key. Arepresentative public key cryptosystem is the RSA(Rivest-Shamir-Adleman) encryption.

[0014] The use of such a cryptosystem enables encrypted contents to bedecrypted only for regular users. A conventional content distributingconfiguration employing such a cryptosystem will be described in briefwith reference to FIG. 1.

[0015]FIG. 1 shows an example of a configuration in which a reproductionmeans 10 such as a PC-(Personal Computer) or a game apparatus reproducesa program, sound or video data, or the like (content) obtained from adata providing means such as a DVD, a CD 30, or the Internet 40 andwherein data obtained from the DVD, CD 30, Internet 40, or the like arestored in a storage means 20 such as a floppy disk, a memory card, ahard disk, or the like.

[0016] The content such as a program or sound or video data are providedto a user having the reproduction means 10. A regular user obtains anencryption data as well as key data that are their encryption anddecryption keys.

[0017] The reproduction means 10 has a CPU 12 to reproduce input data bymeans of a reproduction process section 14. The reproduction processsection 14 decrypts encrypted data to reproduce a provided program andthe content such as sound or image data.

[0018] The regular user saves the content such as the program and datato a storage means 20 in order to use the provided program again. Thereproduction means 10 has a saving process section 13 for executing thiscontent saving process. The saving process section 13 encrypts and savesthe data in order to prevent the data stored in the storage means 20from being illegally used.

[0019] A content encrypting key is used to encrypt the content. Thesaving process section 13 uses the content encrypting key to encrypt thecontent and then stores the encrypted content in a storage section 21 ofthe storage means 20 such as a FD (Floppy Disk), a memory card, or ahard disk.

[0020] To obtain and reproduce the stored content from the storage means20, the user obtains encrypted data from the storage means 20 and causesthe reproduction process section 14 of the reproduction means 10 toexecute the decryption process using a content decrypting key, that is,the decryption key in order to obtain and reproduce decrypted data fromthe encrypted data.

[0021] According to the conventional example of configuration shown inFIG. 1, the stored content is encrypted in the storage means 20 such asa floppy disk or memory card and thus cannot be read externally. When,however, this floppy disk is to be reproduced by means of a reproductionmeans of another information apparatus such as PC or game apparatus, thereproduction is impossible unless the reproduction means has the samecontent key, that is, the same decryption key for decrypting theencrypted content. Accordingly, to implement a form available to aplurality of information apparatuses, a common decryption key must beprovided to users.

[0022] The use of a common content encrypting key, however, means thatthere will be a higher possibility of disorderly distributing theencryption process key to users not having a regular license.Consequently, the illegal use of the content by users not having theregular license cannot be prevented, and it will be difficult to excludethe illegal use in PCs, game apparatuses, or the like which do not havethe regular license.

[0023] In case that key information leeks from one of the apparatuses,the use of common content encrypting key and decryption key can causedamage to the whole system which utilizes the keys

[0024] Furthermore, in an environment using a common key as describedabove, it is possible to easily copy, for example, a content created ona certain PC and saved to a storage means such as a memory card orfloppy disk, to another floppy disk. Consequently, a use form using thecopied floppy disk instead of the original content data will bepossible, so that a large number of copied content data available toinformation apparatuses such as game apparatuses or PCs may be createdor tampered.

[0025] A method is conventionally used which contain a verifyingintegrity check value in content data for checking the validity of thedata, that is, whether or not the data have been tampered and which thencauses a recording and reproducing device to collate a integrity checkvalue generated based on the data to be verified with the integritycheck value contained in the content data to verify the data.

[0026] The integrity check value for the data contents, however, isgenerally generated for the entire data, and collating the integritycheck value generated for the entire data requires a integrity checkvalue to be generated for the entire data to be checked. If, forexample, a integrity check value ICV is to be determined using a MessageAuthentication Code (MAC) generated in a DES-CBC mode, the DES CBCprocess must be executed on the entire data. The amount of suchcalculations increases linearly with the data length, therebydisadvantageously reducing processing efficiency.

DESCRIPTION OF THE INVENTION

[0027] The present invention solves above problems in a conventional artand is to provide, as a first object, a data processing apparatus andmethod and a data verifying value imparting method, which efficientlyconfirm the validity of data and efficiently execute a download processfor a recording device executed after the verification, a reproductionprocess executed after the verification, and other processes, as well asa program providing medium for use in this apparatus and these methods.

[0028] Furthermore, as techniques for limiting the use of contents datato authorized users, various kinds of encryption processing areavailable such as data encryption, data decryption, data verification,signature processing. However, executing these kinds of encryptionprocessing requires common secret information, for example, keyinformation applied to encryption and decryption of contents data or anauthentication key used for authentication to be shared between twoapparatuses, that is, apparatuses between which contents data istransferred or apparatuses between which authentication processing isexecuted.

[0029] Therefore, in the case where key data, which is shared secretinformation, is leaked from either of the two apparatuses, the contentsencryption data using the shared key information can also be decryptedby a third party who has no license, thus allowing illegal use ofcontents. The same is true for the case where an authentication key isleaked, which will lead to establish authentication for an apparatuswith no license. Leakage of keys, therefore, has consequencesthreatening the entire system.

[0030] The present invention is intended to solve these problems. Thesecond object of the invention is to provide a data processingapparatus, data processing system and data processing method withenhanced security in encryption processing. The data processingapparatus of the present invention does not store individual keysnecessary to execute encryption processing such as data encryption, datadecryption, data verification, authentication processing and signatureprocessing in a storage section, stores master keys to generate theseindividual keys in the storage section instead and allows an encryptionprocessing section to generate necessary individual keys based on themaster keys and identification data of the apparatus or data.

[0031] Furthermore, it is possible to maintain a certain degree ofsecurity by supplying contents data encrypted. However, in the casewhere various encryption keys stored in memory are read through illegalreading of memory, key data, etc. is leaked and copied on arecorder/reproducer without any authorized license, contents may beillegally used using the copied key information.

[0032] It is the third object of the present invention to provide a dataprocessing apparatus, data processing method and contents datageneration method in a configuration capable of excluding such illegalreproducers, that is, a configuration identifying illegal reproducersand not allowing the identified reproducers to execute processing suchas reproduction and downloading of contents data.

[0033] Furthermore, techniques for limiting the use of contents data toauthorized users include encryption processing using predeterminedencryption keys, for example, signature processing. However,conventional encryption processing using signature generally has asignature key common to all entities using contents in a system and sucha signature key allows different apparatuses to use common contents,which involves a problem of leading to illegal copies of contents.

[0034] It is possible to store contents encrypted using a uniquepassword, etc., but the password may be stolen. It is also possible todecrypt a same encrypted contents data by entering a same passwordthrough different reproducers, but it is difficult for a conventionalsecurity configuration to implement a system that can identify areproducer to allow only the reproducer to use the contents.

[0035] The present invention has been implemented to solve the aboveproblems of the prior arts and it is the fourth object of the presentinvention to provide a data processing apparatus and data processingmethod capable of allowing only a specific data processing apparatus toreproduce contents according to contents utilization restrictions bymaking it possible to selectively use an apparatus-specific key, whichis specific to a data processing apparatus and a system common key,which is common to other data processing apparatuses.

[0036] Furthermore, here is encryption processing of content data as amethod of limiting utilization of content data to authorized users.However, there are various kinds of content data such as voiceinformation, image information and program data, and there are variouscontents in cases such as a case in which all content data is requiredto be encrypted and a case in which a part requiring encryptionprocessing and a part not requiring encryption processing are mixed.

[0037] Applying encryption processing uniformly to such various contentsmay generate unnecessary decryption processing in reproductionprocessing of the contents, or may generate unfavorable situations interms of processing efficiency and processing speed. For example, fordata such as music data to which real time reproduction is essential, itis desirable to have a content data structure that can be applieddecryption processing in high processing speed.

[0038] The present invention solves such problems. It is the fifthobject of the present invention to provide a data processing apparatus,a content data generating method and a data processing method thatenables to apply to a content various data structures corresponding totypes of content data, i.e., various different data formatscorresponding to the content, and enables generation and processing ofcontent data that has high security and easy to be utilized inreproduction, execution and the like.

[0039] Furthermore, voice data, image data and the like that aredecrypted are outputted to AV output section to be reproduced. Nowadays,often times, many of contents are compressed and stored in a storagemedium or distributed. It is therefore necessary to expand thecompressed data before reproducing. For example, if voice data is MP-3compressed, the voice data is decrypted by a MP3 decoder to be output.And if content data is image data which is MP-3 compressed, the voicedata is expanded by a MPEG2 decoder to be output.

[0040] However, as there are various kinds of compression processing andexpansion processing programs, even if compressed data is provided froma content provider via a medium or a network, it is impossible toreproduce the data with a reproducing apparatus that does not have acompatible expansion program.

[0041] It is the sixth object of the present invention to provide aconfiguration for efficiently executing reproduction processing ofcompressed data, that is, a data processing apparatus, a data processingmethod and a content data generating method for efficiently executingreproduction processing in the case in which contents are compressedvoice data, image data or the like.

[0042] The foregoing objects and other objects of the invention havebeen achieved by the provision of a data processing apparatus and a dataprocessing method.

[0043] A first aspect of the present invention is: a data processingapparatus for processing content data provided by a recording orcommunication medium, characterized in that said apparatus comprises: acryptography process section for executing a cryptography process on-thecontent data; and a control section for executing control for thecryptography process section, and the cryptography process section: isconfigured to generate partial integrity check values as integrity checkvalues for a partial data set containing one or more partial dataobtained by a content data-constituting section into a plurality ofparts, collate the generated integrity check values to verify thepartial data, generates an intermediate integrity check value based on apartial integrity check value set data string containing at least one ormore of the partial integrity check values, and use the generatedintermediate integrity check value to verify the entirety of theplurality of partial data sets corresponding to the plurality of partialintegrity check values constituting the partial integrity check valueset.

[0044] Further, one embodiment of the data processing apparatusaccording to the present is characterized in that the partial integritycheck value is generated by means of a cryptography process with apartial-check-value-generating key applied thereto, using partial datato be checked, as a message, the intermediate integrity check value isgenerated by means of a cryptography process with angeneral-check-value-generating key applied thereto, using a partialintegrity check value set data string to be checked, as a message, andthe cryptography process section is configured to store the partialintegrity check value-generating value and the general integrity checkvalue-generating key.

[0045] Further, one embodiment of the data processing apparatusaccording to the present invention is characterized in that thecryptography process has plural types of partial-check-value-generatingkey corresponding to generated partial integrity check values.

[0046] Further, one embodiment of the data processing apparatusaccording to the present invention is characterized in that thecryptography process is a DES cryptography process, and the cryptographyprocess section is configured to execute the DES cryptography process.

[0047] Further, one embodiment of the data processing apparatusaccording to the present invention is characterized in that the partialintegrity check value is a message authentication code (MAC) generatedin a DES-CBC mode using partial data to be checked, as a message, theintermediate value is a message authentication code (MAC) generated in aDES-CBC mode using a partial integrity check value set data string to bechecked, as a message, and the cryptography process section isconfigured to execute the cryptography process in the DES-CBS mode.

[0048] Further, one embodiment of the data processing apparatusaccording to the present invention is characterized in that in theDES-CBC mode-based cryptography process configuration of thecryptography process section, Triple DES is applied only in part of amessage string to be processed.

[0049] Further, one embodiment of the data processing apparatusaccording to the present invention is characterized in that the dataprocessing apparatus has a signature key, and the cryptography processsection is configured to apply a value generated from the intermediatevalue by means of the signature key-applied cryptography process as acollation value for data verification.

[0050] Further, one embodiment of the data processing apparatusaccording to the present invention is characterized in that the dataprocessing apparatus has a plurality of different signature keys assignature keys, and the cryptography process section is configured toapply one of the plurality of different signature keys which is selecteddepending on a localization of the content data, to the cryptographyprocess for the intermediate integrity check value to obtain thecollation value for data verification.

[0051] Further, one embodiment of the data processing apparatusaccording to the present invention is characterized in that the dataprocessing apparatus has a common signature key common to all entitiesof a system for executing a data verifying process and anapparatus-specific signature key specific to each apparatus thatexecutes a data verifying process.

[0052] Further, one embodiment of the data processing apparatusaccording to the present invention is characterized in that the partialintegrity check value contains one or more header section integritycheck values generated for intra-header-section data partly constitutingdata and one or more content integrity check values generated forcontent block data partly constituting the data, and the cryptographyprocess is configured to generate one or more header section integritycheck values for a partial data set in the intra-header-section data toexecute a collation process, generate one or more content integritycheck values for a partial data set in the intra-content-section data toexecute a collation process, and further generate a general integritycheck value based on all the header section integrity check values andthe content integrity check values generated, to execute a collationprocess in order to verify the data.

[0053] Further, one embodiment of the data processing apparatusaccording to the present invention is characterized in that the partialintegrity check value contains one or more header section integritycheck values generated for intra-header-section data partly constitutingdata, and the cryptography process is configured to generate one or moreheader section integrity check values for a partial data set in theintra-header-section data to execute a collation process and furthergenerate a general integrity check value based on the one or more headersection integrity check values generated and on content block dataconstituting part of the data, to execute a collation process in orderto verify the data.

[0054] Further, one embodiment of the data processing apparatusaccording to the present invention is characterized by furthercomprising a recording device for storing data validated by thecryptography process section.

[0055] Further, one embodiment of the data processing apparatusaccording to the present invention is characterized in that the controlsection is configured so that if in the process executed by thecryptography process section to collate the partial integrity checkvalue, the collation is not established, and the control sectionsuspends the process for storing data in the recording device.

[0056] Further, one embodiment of the data processing apparatusaccording to the present invention is characterized by furthercomprising a reproduction process section for reproducing data validatedby the cryptography process section.

[0057] Further, one embodiment of the data processing apparatusaccording to the present invention is characterized in that if in theprocess executed by the cryptography process section to collate thepartial integrity check value, the collation is not established, and thecontrol section suspends the reproduction process in the reproductionprocess section.

[0058] Further, one embodiment of the data processing apparatusaccording to the present invention is characterized by comprisingcontrol means for collating only the header section integrity checkvalues in the data during the process executed by the cryptographyprocess section to collate the partial integrity check values andtransmitting data for which collation of the header section integritycheck values has been established, to the reproduction process sectionfor reproduction.

[0059] Moreover, a second aspect of the present invention is a dataprocessing apparatus for processing content data provided by a recordingor communication medium, characterized in that said apparatus comprises:a cryptography process section for executing a cryptography process onthe content data; and a control section for executing control for thecryptography process section, and the cryptography process section: isconfigured to generate, if data to be verified are encrypted, integritycheck values for the data to be verified by means of a signaturedata-applied cryptography process from data on arithmetic operationresults obtained by executing an arithmetic operation process ondecrypted data obtained by executing a decryption process on theencrypted data.

[0060] Further, one embodiment of the data processing apparatusaccording to the present invention is characterized in that thearithmetic operation process comprises performing an exclusive-ORoperation on decrypted data every predetermined bytes, the decrypteddata being obtained by decrypting the encrypted data.

[0061] Moreover, a third embodiment of the present invention is a dataprocessing method for processing content data provided by a recording orcommunication medium, the method being characterized in that saidmethod: generates partial integrity check values as integrity checkvalues for a partial data set containing one or more partial dataobtained by a content data constituting section into a plurality ofparts, and collates the generated integrity check values to verify thepartial data, and generates an intermediate integrity check value basedon a partial integrity check value set data string containing at leastone or more of the partial integrity check values, and uses thegenerated intermediate integrity check value to verify the entirety ofthe plurality of partial data sets corresponding to the plurality ofpartial integrity check values constituting the partial integrity checkvalue set.

[0062] Further, one embodiment of the data processing method accordingto the present invention is characterized in that the partial integritycheck value is generated by means of a cryptography process with apartial-check-value-generating key applied thereto, using partial datato be checked, as a message, and the intermediate integrity check valueis generated by means of a cryptography process with angeneral-check-value-generating key applied thereto, using a partialintegrity check value set data string to be checked, as a message.

[0063] Further, one embodiment of the data processing method accordingto the present invention is characterized in that the partial integritycheck value is generated by applying different types ofpartial-check-value-generating keys corresponding to generated partialintegrity check values.

[0064] Further, one embodiment of the data processing method accordingto the present invention is characterized in that the cryptographyprocess is a DES cryptography process.

[0065] Further, one embodiment of the data processing method accordingto the present invention is characterized in that the partial integritycheck value is a message authentication code (MAC) generated in aDES-CBC mode using partial data to be checked, as a message, and theintermediate value is a message authentication code (MAC) generated in aDES-CBC mode using a partial integrity check value set data string to bechecked, as a message.

[0066] Further, one embodiment of the data processing method accordingto the present invention is characterized in that a value generated fromthe intermediate value by means of a signature key-applied cryptographyprocess is applied as a collation value for data verification.

[0067] Further, one embodiment of the data processing method accordingto the present invention is characterized in that different signaturekeys are applied to the cryptography process for the intermediateintegrity check value depending on a localization of the content data,to obtain the collation value for data verification.

[0068] Further, one embodiment of the data processing method accordingto the present invention is characterized in that a common signature keycommon to all entities of a system for executing a data verifyingprocess or an apparatus-specific signature key specific to eachapparatus that executes a data verifying process is selected and used asthe signature key depending on the localization of the content data.

[0069] Further, one embodiment of the data processing method accordingto the present invention is characterized in that the partial integritycheck value contains one or more header section integrity check valuesgenerated for intra-header-section data partly constituting data and oneor more content integrity check values generated forintra-content-section data partly constituting the data, and a dataverifying process generates one or more header section integrity checkvalues for a partial data set in the intra-header-section data toexecute a collation process; generates one or more content integritycheck values for a partial data set in the intra-content-section data toexecute a collation process; and further generates a general integritycheck value based on all the header section integrity check values andthe content integrity check values generated, to execute a collationprocess in order to verify the data.

[0070] Further, one embodiment of the data processing method accordingto the present invention is characterized in that the partial integritycheck value contains one or more header section integrity check valuesgenerated for intra-header-section data partly constituting data, thedata verifying process comprises generating one or more header sectionintegrity check values for a partial data set in theintra-header-section data to execute a collation process; and furthergenerating a general integrity check value based on the one or moreheader section integrity check values generated and on content blockdata constituting part of the data, to execute a collation process inorder to verify the data.

[0071] Further, one embodiment of the data processing method accordingto the present invention is characterized by further comprising aprocess for storing, after data verification, storing validated data.

[0072] Further, one embodiment of the data processing method accordingto the present invention is characterized in that if in the process forcollating the partial integrity check value, the collation is notestablished, control is executed such as to suspend the process forstoring data in the recording device.

[0073] Further, one embodiment of the data processing method accordingto the present invention is characterized by further comprising a datareproduction process for reproducing data after the data verification.

[0074] Further, one embodiment of the data processing method accordingto the present invention is characterized in that if in the process forcollating the partial integrity check value, the collation is notestablished, control is executed such as to suspend the reproductionprocess executed in the reproduction process section.

[0075] Further, one embodiment of the data processing method accordingto the present invention is characterized in that said method collatesonly the header section integrity check values in the data during theprocess for collating the partial integrity check values and transmitsdata for which collation of the header section integrity check valueshas been established, to the reproduction process section forreproduction.

[0076] Moreover, a fourth aspect of the present invention is a dataprocessing method for processing content data provided by a recording orcommunication medium, the method being characterized in that saidmethod: if data to be verified are encrypted, executes an arithmeticoperation process on decrypted data obtained by decrypting the encrypteddata, executes a signature key-applied cryptography process on data onarithmetic operation results obtained by the arithmetic operation, togenerate integrity check values for the data to be verified.

[0077] Further, one embodiment of the data processing method accordingto the present invention is characterized in that the arithmeticoperation process comprises performing an exclusive-OR operation ondecrypted data every predetermined bytes, the decrypted data beingobtained by decrypting the encrypted data.

[0078] Moreover, a fifth aspect of the present invention is a dataverifying value imparting method for a data verifying process,characterized in that said method: imparts partial integrity checkvalues as integrity check values for a partial data set containing oneor more partial data obtained by a content data constituting sectioninto a plurality of parts, and imparts to data to verified, anintermediate integrity check value used to verify a partial integritycheck value set data string containing at least one or more of thepartial integrity check values.

[0079] Further, one embodiment of the data verifying value impartingmethod according to the present invention is characterized in that thepartial integrity check value is generated by means of a cryptographyprocess with a partial-check-value-generating key applied thereto, usingpartial data to be checked, as a message, and the intermediate integritycheck value is generated by means of a cryptography process with angeneral-check-value-generating key applied thereto, using a partialintegrity check value set data string to be checked, as a message.

[0080] Further, one embodiment of the data verifying value impartingmethod according to the present invention is characterized in that thepartial integrity check value is generated by applying different typesof partial-check-value-generating keys corresponding to generatedpartial integrity check values.

[0081] Further, one embodiment of the data verifying value impartingmethod according to the present invention is characterized in that thecryptography process is a DES cryptography process.

[0082] Further, one embodiment of the data verifying value impartingmethod according to the present invention is characterized in that thepartial integrity check value is a message authentication code (MAC)generated in a DES-CBC mode using partial data to be checked, as amessage, and the intermediate value is a message authentication code(MAC) generated in a DES-CBC mode using a partial integrity check valueset data string to be checked, as a message.

[0083] Further, one embodiment of the data verifying value impartingmethod according to the present invention is characterized in that avalue generated from the intermediate value by means of a signaturekey-applied cryptography process is applied as a collation value fordata verification.

[0084] Further, one embodiment of the data verifying value impartingmethod according to the present invention is characterized in thatdifferent signature keys are applied to the cryptography process for theintermediate integrity check value depending on a localization of thecontent data, to obtain the collation value for data verification.

[0085] Further, one embodiment of the data verifying value impartingmethod according to the present invention is characterized in that acommon signature key common to all entities of a system for executing adata verifying process or an apparatus-specific signature key specificto each apparatus that executes a data verifying process is selected andused as the signature key depending on the localization of the contentdata.

[0086] Further, one embodiment of the data verifying value impartingmethod according to the present invention is characterized in that thepartial integrity check value contains one or more header sectionintegrity check values for in intra-header-section data partlyconstituting data and one or more content integrity check values forintra-content-section data partly constituting the data, and the methodis set so that a general integrity check value is generated for all theheader section integrity check values and the content integrity checkvalues, to verify the data.

[0087] Further, one embodiment of the data verifying value impartingmethod according to the present invention is characterized in that thepartial integrity check value contains one or more header sectionintegrity check values for intra-header-section data partly constitutingdata, and the method is set so that a general integrity check value isgenerated for the one or more header section integrity check values andcontent block data partly constituting the data, to verify the data.

[0088] Moreover, a sixth aspect of the present invention is a programproviding medium for providing a computer program for causing a dataverifying process to be executed on a computer system to verify thatdata are valid, the program providing medium being characterized in thatthe computer program comprises steps of: executing a collation processusing partial integrity check values generated as integrity check valuesfor a partial data set containing one or more partial data obtained bydividing data a plurality of parts, and using an intermediate integritycheck value based on a partial integrity check value set obtained bycombining a plurality of the partial integrity check values together, toverify the entirety of a plurality of partial data sets corresponding tothe plurality of partial integrity check values constituting the partialintegrity check value set.

[0089] A seventh aspect of the present invention is a data processingapparatus including encryption processing section that executes oneencryption processing of at least one of data encryption, datadecryption, data verification, authentication processing and signatureprocessing and a storage section that stores master keys to generatekeys used for the encryption processing, characterized in that theencryption processing section is configured to generate individual keysnecessary to execute the encryption processing based on the master keysand identification data of the apparatus or data subject to encryptionprocessing.

[0090] According to another embodiment of the data processing apparatusof the present invention, the data processing apparatus is a dataprocessing apparatus that performs encryption processing on transferdata via a recoding medium or communication medium, characterized inthat the storage section stores a distribution key generation master keyMKdis for generating a distribution key Kdis used for encryptionprocessing of the transfer data and the encryption processing sectionexecutes encryption processing based on the distribution key generationmaster key MKdis stored in the storage section and a data identifier,which is identification data of the transfer data and generates thetransfer data distribution key Kdis.

[0091] Furthermore, according to another embodiment of the dataprocessing apparatus of the present invention, the data processingapparatus is a data processing apparatus that performs authenticationprocessing of an externally connected apparatus to/from which data istransferred, characterized in that the storage section stores anauthentication key generation master key MKake for generating anauthentication key Kake of the externally connected apparatus and theencryption processing section executes encryption processing based onthe authentication key generation master key MKake stored in the storagesection and an identifier of the externally connected apparatus, whichis identification data of the externally connected apparatus andgenerates the authentication key Kake of the externally connectedapparatus.

[0092] Furthermore, according to another embodiment of the dataprocessing apparatus of the present invention, the data processingapparatus is a data processing apparatus that performs signatureprocessing on data, characterized in that the storage section stores asignature key generation master key MKdev for generating a dataprocessing apparatus signature key Kdev of the data processing apparatusand the encryption processing section executes encryption processingbased on the signature key generation master key MKdev stored in thestorage section and an identifier of the data processing apparatus,which is identification data of the data processing apparatus andgenerates the data processing apparatus signature key Kdev of the dataprocessing apparatus.

[0093] Furthermore, according to another embodiment of the dataprocessing apparatus of the present invention, individual key generationprocessing that generates an individual key necessary to executeencryption processing based on the master key and identification data ofthe apparatus or data subject to encryption processing is encryptionprocessing that uses at least part of identification data of theapparatus or data subject to encryption processing as a message andapplies the master key as the encryption key.

[0094] Furthermore, according to another embodiment of the dataprocessing apparatus of the present invention, the encryption processingis encryption processing using a DES algorithm.

[0095] Furthermore, an eighth aspect of the present invention is a dataprocessing system configured by a plurality of data processingapparatuses, characterized in that each of the plurality of dataprocessing apparatuses has a common master key to generate a key usedfor encryption processing of at least one of data encryption, datadecryption data verification, authentication processing and signatureprocessing and each of the plurality of data processing apparatusesgenerates a common individual key necessary to execute the encryptionprocessing based on the master key and identification data of theapparatus or data subject to encryption processing.

[0096] Furthermore, according to another embodiment of the dataprocessing system of the present invention, the plurality of dataprocessing apparatuses is configured by a contents data providingapparatus that supplies contents data and a contents data utilizationapparatus that utilizes the contents data, both the contents dataproviding apparatus and contents data utilization apparatus have adistribution key generation master key to generate a contents datadistribution key used for encryption processing of circulation contentsdata between the contents data providing apparatus and contents datautilization apparatus, the contents data providing apparatus generates acontents data distribution key based on the distribution key generationmaster key and contents identifier, which is an identifier of suppliedcontents data and executes encryption processing on the contents data,and the contents data utilization apparatus generates a contents datadistribution key based on the distribution key generation master key andcontents identifier, which is an identifier of supplied contents dataand executes decryption processing on the contents data.

[0097] Furthermore, according to another embodiment of the dataprocessing system of the present invention, the contents data providingapparatus has a plurality of different distribution key generationmaster keys to generate a plurality of different contents datadistribution keys, generates a plurality of different contents datadistribution keys based on the plurality of distribution key generationmaster keys and the contents identifier, executes encryption processingusing the plurality of distribution keys generated and generatesencryption contents data of a plurality of types, and the contents datautilization apparatus has at least one distribution key generationmaster key of the plurality of different distribution key generationmaster keys owned by the contents data providing apparatus and makesdecodable only encryption contents data by a distribution key generatedusing the same distribution key generation master key as thedistribution key generation master key owned by the own apparatus.

[0098] Furthermore, according to another embodiment of the dataprocessing system of the present invention, each of said plurality ofdata processing apparatuses stores a same contents key generation masterkey to generate a contents key applied to contents data encryptionprocessing, data processing apparatus A, which is one of the pluralityof data processing apparatuses, stores contents data encrypted by acontents key generated based on the contents key generation master keyand the apparatus identifier of the data processing apparatus A in astorage medium, different data processing apparatus B generates acontents key based on the same contents key generation master key andthe apparatus identifier of the data processing apparatus A and executesdecryption processing on the encrypted contents data stored by said dataprocessing apparatus A in said storage medium based on said contents keygenerated.

[0099] Furthermore, according to another embodiment of the dataprocessing system of the present invention, the plurality of dataprocessing apparatuses is configured by a host device and a slave devicesubject to authentication processing by the host device, both the hostdevice and slave device have an authentication key generation masterapplied to authentication processing between the host device and slavedevice, the slave device generates an authentication key based on theauthentication key generation master key and slave device identifier,which is the identifier of the slave device and stores in memory in theslave device, and the host device generates an authentication key basedon the authentication key generation master key and slave deviceidentifier, which is the identifier of the slave device and executesauthentication processing.

[0100] Furthermore, a ninth aspect of the present invention is a dataprocessing method that executes encryption processing of at least one ofdata encryption, data decryption, data verification, authenticationprocessing and signature processing, including a key generating step ofgenerating individual keys necessary to execute the encryptionprocessing based on master keys to generate the keys used for theencryption processing and identification data of the apparatus or datasubject to encryption processing and an encryption processing step ofexecuting encryption processing based on the key generated in the keygenerating step.

[0101] Furthermore, according to another embodiment of the dataprocessing method of the present invention, data processing executed bythe data processing method is encryption processing on transfer data viaa storage medium or communication medium, the key generating step is adistribution key generating step of executing encryption processingbased on a distribution key generation master key MKdis for generating adistribution key Kdis used for encryption processing of transfer dataand a data identifier, which is identification data of the transferdata, and generating distribution key Kdis of the transfer data, and theencryption processing step is a step of executing encryption processingon transfer data based on the distribution key Kdis generated in thedistribution key generating step.

[0102] Furthermore, according to another embodiment of the dataprocessing method of the present invention, the data processing executedby the data processing method is authentication processing of anexternally connected apparatus to/from which data is transferred, thekey generating step is an authentication key generating step ofexecuting encryption processing based on an authentication keygeneration master key MKake for generating an authentication key Kake ofthe externally connected apparatus and an externally connected apparatusidentifier, which is identification data of the externally connectedapparatus, and generating the authentication key Kake of the externallyconnected apparatus, and the encryption processing step is a step ofexecuting authentication processing of the externally connectedapparatus based on the authentication key Kake generated in theauthentication key generation step.

[0103] Furthermore, according to another embodiment of the dataprocessing method of the present invention, data processing executed bythe data processing apparatus is signature processing on data, the keygenerating step is a signature key generating step of executingencryption processing based on a signature key generation master keyMKdev for generating a data processing apparatus signature key Kdev ofthe data processing apparatus and a data processing apparatusidentifier, which is identification data of the data processingapparatus and generating the data processing apparatus signature keyKdev of the data processing apparatus, and the encryption processingstep is a step of executing signature processing on data based on thesignature key Kdev generated in the signature key generating step.

[0104] Furthermore, according to another embodiment of the dataprocessing method of the present invention, the key generating step isencryption processing that uses at least part of data identification ofthe apparatus or data subject to encryption processing as a message andapplies the master key as the encryption key.

[0105] Furthermore, according to another embodiment of the dataprocessing method of the present invention, the encryption processing isencryption processing using a DES algorithm.

[0106] Furthermore, a tenth aspect of the present invention is a dataprocessing method in a data processing system comprising a contents dataproviding apparatus that supplies contents data and a contents datautilization apparatus that utilizes the contents data, characterized inthat the contents data providing apparatus generates a contents datadistribution key based on a distribution key generation master key forgenerating a contents data distribution key used for encryptionprocessing on contents data and a contents identifier, which is theidentifier of the provided contents data and executes encryptionprocessing on the contents data, and the contents data utilizationapparatus generates a contents data distribution key based on thedistribution key generation master key and a contents identifier, whichis the identifier of the provided contents data and executes decryptionprocessing on the contents data.

[0107] Furthermore, according to another embodiment of the dataprocessing method according to the present invention, the contents dataproviding apparatus has a plurality of different distribution keygeneration master keys to generate a plurality of different contentsdata distribution keys, generates a plurality of different contents datadistribution keys based on the plurality of distribution key generationmaster keys and the contents identifier, executes encryption processingusing the plurality of distribution keys generated and generatesencryption contents data of a plurality of types, and the contents datautilization apparatus has at least one distribution key generationmaster key of the plurality of different distribution key generationmaster keys owned by the contents data providing apparatus and decryptsonly encryption contents data by a distribution key generated using thesame distribution key generation master key as the distribution keygeneration master key owned by the own apparatus.

[0108] Furthermore, an eleventh aspect of the present invention is adata processing method in a data processing system comprising a step ofstoring, by data processing apparatus A, which is one of the pluralityof data processing apparatuses, in a storage medium contents dataencrypted using a contents key generated based on a contents keygeneration master key to generate a contents key used for encryptionprocessing of contents data and the apparatus identifier of the dataprocessing apparatus A, a step of generating the same contents key asthe contents key by different data processing apparatus B based on thesame the contents key generation master key as that of the dataprocessing apparatus A and the apparatus identifier of the dataprocessing apparatus A, and a step of decrypting the contents datastored in the storage medium using the contents key generated by saiddata processing apparatus B.

[0109] Furthermore, a twelfth aspect of the present invention is a dataprocessing method in a data processing system comprising a host device,and a slave device subject to authentication processing by the hostdevice, characterized in that the slave device generates anauthentication key based on an authentication key generation master keyto generate an authentication key used for authentication processingbetween the host device and slave device and a slave device identifier,which is the identifier of the slave device and stores theauthentication key generated in memory in said slave device, and thehost device generates an authentication key based on the authenticationkey generation master key and slave device identifier, which is theidentifier of the slave device and executes authentication processing.

[0110] Furthermore, a thirteenth aspect of the present invention is aprogram providing medium that supplies a computer program to executeencryption processing of at least one of data encryption, datadecryption, data verification, authentication processing and signatureprocessing on a computer system, the computer program comprising a keygenerating step of generating individual keys necessary to execute theencryption processing based on the master key to generate the key usedfor the encryption processing and identification data of the apparatusor data subject to encryption processing, and an encryption processingstep of executing encryption processing based on the keys generated inthe key generating step.

[0111] A fourteenth aspect of the present invention is a data processingapparatus that processes contents data supplied from a storage medium orcommunication medium, characterized by comprising a storage section thatstores data processing apparatus identifiers, a list verificationsection that extracts an illegal device list included in the contentsdata and executes collation between entries of the list and the dataprocessing apparatus identifiers stored in the storage section, and acontrol section that stops executing processing of at least either oneof reproduction of the contents data or processing of storage in arecording device when the result of the collation processing in thecollation processing section shows that the illegal device list includesinformation that matches the data processing identifiers.

[0112] According to another embodiment of the data processing apparatusof the present invention, the list verification section comprises anencryption processing section that executes encryption processing on thecontents data, and the encryption processing section verifies thepresence or absence of tampering in the illegal device list based oncheck values of the illegal device list included in the contents dataand executes the collation processing only when the verification provesno tampering.

[0113] Furthermore, another embodiment of the data processing apparatusof the present invention further comprises an illegal device list checkvalue generation key, characterized in that the encryption processingsection executes encryption processing applying the illegal device listcheck value generation key to illegal device list configuration data tobe verified, generates illegal device list check values, executescollation between the illegal device list check values and the illegaldevice list check values included in the contents data and therebyverifies the presence or absence of tampering in the illegal devicelist.

[0114] Furthermore, according to another embodiment of the dataprocessing apparatus of the present invention, the list verificationsection comprises an encryption processing section that executesencryption processing on the contents data, the encryption processingsection executes decryption processing of the encrypted illegal devicelist included in the contents data and executes the collation processingon the illegal device list resulting from the decryption processing.

[0115] Furthermore, according to another embodiment of the dataprocessing apparatus of the present invention, the list verificationsection comprises an encryption processing section that executes mutualauthentication processing with a recording device to/from which contentsdata is transferred, the list verification section extracts the illegaldevice list included in the contents data and executes collation withthe data processing apparatus identifiers stored in the storage sectionon condition that authentication with the recording device has beenestablished through mutual authentication processing executed by theencryption processing section.

[0116] A fifteenth aspect of the present invention is a data processingmethod that processes contents data supplied from a storage medium orcommunication medium, comprising a list extracting step of extracting anillegal device list included in the content data, a collation processingstep of executing collation between entries included in the listextracted in the list extracting step and the data processing apparatusidentifiers stored in a storage section in the data processingapparatus, and

[0117] a step of stopping execution of processing of at least either oneof reproduction of the contents data or processing of storage in therecording device when the result of the collation processing in thecollation processing step shows that the illegal device list includesinformation that matches the data processing identifiers.

[0118] Furthermore, according to another embodiment of the dataprocessing method of the present invention, the data processing methodfurther comprises a verification step of verifying the presence orabsence of tampering in the illegal device list based on check values ofthe illegal device list included in the contents data, and the collationprocessing step executes collation processing only when the verificationstep proves no tampering.

[0119] Furthermore, according to another embodiment of the dataprocessing method of the present invention, the verification stepcomprises a step of executing encryption processing applying an illegaldevice list check value generation key to illegal device listconfiguration data to be verified and generating illegal device listcheck values, and a step of executing collation between the illegaldevice list check values generated and the illegal device list checkvalues included in the contents data and thereby verifying the presenceor absence of tampering in the illegal device list.

[0120] Furthermore, another embodiment of the data processing method ofthe present invention further comprises a decrypting step of executingdecrypting processing on the encrypted illegal device list included inthe contents data and the collation processing step executes thecollation processing on the illegal device list resulting from thedecrypting step.

[0121] Furthermore, another embodiment of the data processing method ofthe present invention further comprises a mutual authenticationprocessing step of executing mutual authentication processing with arecording device to/from which contents data is transferred, and thecollation processing step executes collation processing on conditionthat authentication with the recording device has been establishedthrough mutual authentication processing executed by the mutualauthentication processing step.

[0122] A sixteenth aspect of the present invention is a contents datageneration method that generates contents data supplied from a storagemedium or communication medium to a plurality of recorders/reproducers,characterized in that an illegal device list whose component datacomprises identifiers of recorders/reproducers, which will be excludedfrom the use of the contents data is stored as the header information ofthe contents data.

[0123] Furthermore, according to another embodiment of the contents datageneration method of the present invention, the illegal device listcheck values for a tampering check of the illegal device list are alsostored as the header information of the contents data.

[0124] Furthermore, according to another embodiment of the contents datageneration method of the present invention, the illegal device list isencrypted and stored in the header information of the contents data.

[0125] Furthermore, a seventeenth aspect of the present invention is aprogram supply medium that supplies a computer program that allows acomputer system to execute processing of contents data supplied from astorage medium or communication medium, characterized in that thecomputer program comprises a list extracting step of extracting anillegal device list included in the contents data, a collationprocessing step of executing collation between entries included in thelist extracted in the list extracting step and the data processingapparatus identifiers stored in a storage section in the data processingapparatus, and a step of stopping execution of processing of either oneof reproduction of the contents data or processing of storage in arecording device when the result of the collation processing in thecollation processing step shows that the illegal device list includesinformation that matches the data processing identifiers.

[0126] An eighteenth aspect of the present invention is a dataprocessing apparatus that processes contents data supplied via arecording medium or communication medium, comprising an encryptionprocessing section that executes encryption processing on the contentsdata, a control section that executes control over the encryptionprocessing section, a system common key used for encryption processingin the encryption processing section, which is common to other dataprocessing apparatuses using the contents data, and at least one of anapparatus-specific key, which is specific to the data processingapparatus used for encryption processing in the encryption processingsection or an apparatus-specific identifier to generate theapparatus-specific key, characterized in that the encryption processingsection is configured to perform encryption processing by applyingeither one of the system common key or the apparatus-specific keyaccording to the utilization mode of the contents data.

[0127] Furthermore, in another embodiment of the data processingapparatus of the present invention, the encryption processing sectionexecutes encryption processing by applying either one of the systemcommon key or the apparatus-specific key according to utilizationrestriction information included in the contents data.

[0128] Furthermore, another embodiment of the data processing apparatusof the present invention further comprises a recording device forrecording contents data, characterized in that the encryption processingsection, when imposed with a utilization restriction that the contentsdata should be used only for the own data processing apparatus,generates data to be stored in the recording device by executingencryption processing using the apparatus-specific key for the contentsdata, and in the case where the contents data is also made available toan apparatus other than the own data processing apparatus, data to bestored in the recording device is generated by executing encryptionprocessing using the system common key on the contents data.

[0129] Furthermore, another embodiment of the data processing apparatusof the present invention comprises a signature key Kdev specific to thedata processing apparatus and a system signature key Ksys common to aplurality of data processing apparatuses, characterized in that theencryption processing section, when the contents data is stored in therecording device imposed with a utilization restriction that thecontents data should be used only for the own data processing apparatus,generates an apparatus-specific check value through encryptionprocessing applying the apparatus-specific signature key Kdev to thecontents data and, when the contents data is stored in the recordingdevice with the contents data also made available to an apparatus otherthan the own data processing apparatus, generates an overall check valuethrough encryption processing applying the system signature key Ksys tothe contents data, and the control section performs control of storingeither one of the apparatus-specific check value generated by theencryption processing section or the overall check value together withthe contents data in the recording device.

[0130] Furthermore, another embodiment of the data processing apparatusof the present invention comprises a signature key Kdev specific to thedata processing apparatus and a system signature key Ksys common to aplurality of data processing apparatuses, characterized in that theencryption processing section, when contents data imposed with autilization restriction that the contents data should be used only forthe own data processing apparatus is reproduced, generates anapparatus-specific check value applying the apparatus-specific signaturekey Kdev to the contents data and executes collation processing on theapparatus-specific check value generated and, when contents data alsomade available to an apparatus other than the own data processingapparatus is reproduced, generates an overall check value throughencryption processing applying the system signature key Ksys to thecontents data and performs collation processing on the overall checkvalue generated, and the control section generates reproducibledecrypted data by continuing processing of contents data by theencryption processing section only when collation with theapparatus-specific check value is established or when collation with theoverall check value is established.

[0131] Furthermore, another embodiment of the data processing apparatusof the present invention comprises a recording data processing apparatussignature key master key MKdev and data processing apparatus identifierIDdev, characterized in that the encryption processing section generatesa signature key Kdev as the data processing apparatus specific keythrough encryption processing based on the recording data processingapparatus signature key master key MKdev and the data processingapparatus identifier IDdev.

[0132] Furthermore, in another embodiment of the data processingapparatus of the present invention, the encryption processing sectiongenerates the signature key Kdev through DES encryption processingapplying the recording data processing apparatus signature key masterkey MKdev to the data processing apparatus identifier IDdev.

[0133] Furthermore, in another embodiment of the data processingapparatus of the present invention, the encryption processing sectiongenerates an intermediate integrity check value by executing encryptionprocessing on the contents data and executes encryption processingapplying the data processing apparatus specific key or system common keyon the intermediate integrity check value.

[0134] Furthermore, in another embodiment of the data processingapparatus of the present invention, the encryption processing sectiongenerates a partial integrity check value through encryption processingon a partial data set containing at least one partial data item obtainedby dividing the contents data into a plurality of parts and generates anintermediate integrity check value through encryption processing on apartial integrity check value set data string containing the partialintegrity check value generated.

[0135] A nineteenth aspect of the present invention is a data processingmethod that processes contents data supplied via a recording medium orcommunication medium, characterized by selecting either one of anencryption processing system common key common to other data processingapparatuses using the contents data or an apparatus-specific key, whichis specific to the data processing apparatus according to theutilization mode of the contents data, and executing encryptionprocessing by applying the selected encryption processing key to thecontents data.

[0136] Furthermore, another embodiment of the data processing method ofthe present invention is characterized in that the encryption processingkey selecting step is a step of selecting according to utilizationrestriction information contained in the contents data.

[0137] Furthermore, another embodiment of the data processing method ofthe present invention is characterized in that the processing of storingcontents data in the recording device, when imposed with a utilizationrestriction that the contents data should be used only for the own dataprocessing apparatus, generates data to be stored in the recordingdevice by executing encryption processing applying theapparatus-specific key to the contents data, and in the case where thecontents data is also made available to an apparatus other than the owndata processing apparatus, data to be stored in the recording device isgenerated by executing encryption processing using the system common keyon the contents data.

[0138] Furthermore, another embodiment of the data processing method ofthe present invention is characterized in that when the contents data isstored in the recording device imposed with a utilization restrictionthat the contents data should be used only for the own data processingapparatus, the processing of recording contents data in the recordingdevice generates an apparatus-specific check value through encryptionprocessing applying the apparatus-specific signature key Kdev to thecontents data and, when the contents data is stored in the recordingdevice with the contents data also made available to an apparatus otherthan the own data processing apparatus, generates an overall check valuethrough encryption processing applying the system signature key Ksys tothe contents data, and either one of the apparatus-specific check valuegenerated or the overall check value is stored together with thecontents data in the recording device.

[0139] Furthermore, another embodiment of the data processing method ofthe present invention is characterized in that when contents dataimposed with a utilization restriction that the contents data should beused only for the own data processing apparatus is reproduced, thecontents data reproducing processing generates an apparatus-specificcheck value through encryption processing applying theapparatus-specific signature key Kdev to the contents data and executescollation processing on the apparatus-specific check value generatedand, when contents data imposed with a utilization restriction that thecontents data is also made available to an apparatus other than the owndata processing apparatus is reproduced, generates an overall checkvalue through encryption processing applying the system signature keyKsys to the contents data and performs collation processing on theoverall check value generated, and contents data is reproduced only whencollation with the apparatus-specific check value is established or whencollation with the overall check value is established.

[0140] Furthermore, another embodiment of the data processing method ofthe present invention further comprises a step of generating a signaturekey Kdev as the data processing apparatus specific key throughencryption processing based on data processing apparatus signature keymaster key MKdev and the data processing apparatus identifier IDdev.

[0141] Furthermore, another embodiment of the data processing method ofthe present invention is characterized in that the signature key Kdevgenerating step is a step of generating the signature key Kdev throughDES encryption processing applying the data processing apparatussignature key master key MKdev to the data processing apparatusidentifier IDdev.

[0142] Furthermore, another embodiment of the data processing method ofthe present invention further comprises a step of generating anintermediate integrity check value by executing encryption processing onthe contents data, characterized by executing encryption processingapplying the data processing apparatus specific key or system common keyto the intermediate integrity check value.

[0143] Furthermore, another embodiment of the data processing method ofthe present invention is characterized by further generating a partialintegrity check value through encryption processing on a partial dataset containing at least one partial data item obtained by dividing thecontents data into a plurality of parts and generating an intermediateintegrity check value through encryption processing on a partialintegrity check value set data string containing the partial integritycheck value generated.

[0144] A twentieth aspect of the present invention is a program supplymedium that supplies a computer program allowing a computer system toexecute data processing that processes contents data supplied via arecording medium or communication medium, and the computer programcomprises the steps of selecting either encryption processing key, anencryption processing system common key common to other data processingapparatuses using the contents data or an apparatus-specific key, whichis specific to the data processing apparatus according to theutilization mode of the contents data, and executing encryptionprocessing applying the selected encryption processing key to thecontents data.

[0145] A twenty first aspect of the present invention is a dataprocessing apparatus that processes contents data supplied via arecording medium or communication medium, comprising an encryptionprocessing section that executes encryption processing on the contentsdata, and a control section that executes control over the encryptionprocessing section, characterized in that the encryption processingsection is configured to generate a contents check value in units ofcontents block data to be verified included in the data, executecollation on the contents check value generated and thereby executeverification processing on the validity of each contents block data inthe data.

[0146] Furthermore, another embodiment of the data processing apparatusof the present invention comprises a contents check value generation keyand characterized in that the encryption processing section generates acontents intermediate value based on contents block data to be verifiedand generate a contents check value by executing encryption processingapplying the contents check value generation key to the contentsintermediate value.

[0147] Furthermore, another embodiment of the data processing apparatusof the present invention is characterized in that when the contentsblock data to be verified is encrypted, the encryption processingsection generates a contents intermediate value by executingpredetermined operation processing on an entire decrypted statementobtained through decryption processing of the contents block data inunits of a predetermined number of bytes, and when the contents blockdata to be verified is not encrypted, generates a contents intermediatevalue by executing predetermined operation processing on the entirecontents block data in units of a predetermined number of bytes.

[0148] Furthermore, another embodiment of the data processing apparatusof the present invention is characterized in that the predeterminedoperation processing applied in the intermediate integrity check valuegeneration processing by the encryption processing section is anexclusive-OR operation.

[0149] Furthermore, another embodiment of the data processing apparatusof the present invention is characterized in that the encryptionprocessing section has an encryption processing configuration in CBCmode and the decryption processing applied to the content intermediatevalue generation processing when the contents block data to be verifiedis decryption processing in CBC mode.

[0150] Furthermore, another embodiment of the data processing apparatusof the present invention is characterized in that the encryptionprocessing configuration in CBC mode of the encryption processingsection is a configuration in which common key encryption processing isapplied a plurality of times only to part of a message string to beprocessed.

[0151] Furthermore, another embodiment of the data processing apparatusof the present invention is characterized in that when the contentsblock data contains a plurality of parts and some parts included in thecontents block data are to be verified, the encryption processingsection generates a contents check value based on the parts to beverified, executes collation processing on the contents check valuegenerated and thereby executes verification processing on the validityin units of content block data in the data.

[0152] Furthermore, another embodiment of the data processing apparatusof the present invention is characterized in that when the contentsblock data contains a plurality of parts and it is one part that needsto be verified, the encryption processing section generates a contentscheck value by executing encryption processing applying the contentscheck value generation key to a value obtained by carrying out anexclusive-OR in units of a predetermined number of bytes on the entiredecrypted statement obtained by decryption processing of parts to beverified in the case where the parts to be verified is encrypted, andgenerates a contents check value by executing encryption processingapplying the contents check value generation key to a value obtained bycarrying out an exclusive-OR in units of a predetermined number of byteson the entire part to be verified in the case where the parts to beverified is not encrypted.

[0153] Furthermore, another embodiment of the data processing apparatusof the present invention is characterized in that when the contentsblock data contains a plurality of parts and it is a plurality of partsthat needs to be verified, the encryption processing section uses, as acontents check value, the result obtained by executing encryptionprocessing applying the contents check value generation key to link dataof a parts check value obtained by executing encryption processingapplying a contents check value generation key to each part.

[0154] Furthermore, another embodiment of the data processing apparatusof the present invention is characterized in that the encryptionprocessing section further comprises a recording device for storingcontents data containing contents block data whose validity has beenverified.

[0155] Furthermore, another embodiment of the data processing apparatusof the present invention is characterized in that when collation is notestablished in the collation processing on a contents check value in theencryption processing section, the control section stops storage in therecording device.

[0156] Furthermore, another embodiment of the data processing apparatusof the present invention is characterized in that the encryptionprocessing section further comprises a reproduction processing sectionfor reproducing data whose validity has been verified.

[0157] Furthermore, another embodiment of the data processing apparatusof the present invention is characterized in that when collation is notestablished in the collation processing on a contents check value in theencryption processing section, the control section stops reproductionprocessing in the reproduction processing section.

[0158] A twenty second aspect of the present invention is a dataprocessing method that processes contents data supplied via a recordingmedium or communication medium, characterized by generating a contentscheck value in units of contents block data to be verified included inthe data, executing collation on the contents check value generated andthereby executing verification processing on the validity in units ofcontents block data in the data.

[0159] Furthermore, another embodiment of the data processing method ofthe present invention is characterized by generating a contentsintermediate value based on contents block data to be verified andgenerating a contents check value by executing encryption processingapplying the contents check value generation key to the contentsintermediate value generated.

[0160] Furthermore, another embodiment of the data processing method ofthe present invention is characterized by generating, when the contentsblock data to be verified is encrypted, a contents intermediate value byexecuting predetermined operation processing on an entire decryptedstatement obtained through decryption processing of the contents blockdata in units of a predetermined number of bytes, and generating, whenthe contents block data to be verified is not encrypted, a contentsintermediate value by executing predetermined operation processing onthe entire contents block data in units of a predetermined number ofbytes.

[0161] Furthermore, another embodiment of the data processing method ofthe present invention is characterized in that the predeterminedoperation processing applied in the intermediate integrity check valuegeneration processing is an exclusive-OR operation.

[0162] Furthermore, another embodiment of the data processing method ofthe present invention is characterized in that in the contentsintermediate value generation processing, the decryption processingapplied to the content intermediate value generation processing when thecontents block data to be verified is encrypted is decryption processingin CBC mode.

[0163] Furthermore, another embodiment of the data processing method ofthe present invention is characterized in that in the decryptionprocessing configuration in CBC mode, common key encryption processingis applied a plurality of times only to part of a message string to beprocessed.

[0164] Furthermore, another embodiment of the data processing method ofthe present invention is characterized by generating, when the contentsblock data contains a plurality of parts and some parts included in thecontents block data are to be verified, a contents check value based onthe parts to be verified, executing collation processing on the contentscheck value generated and thereby executing verification processing onthe validity in units of content block data in the data.

[0165] Furthermore, another embodiment of the data processing method ofthe present invention is characterized by generating when the contentsblock data contains a plurality of parts and it is one part that needsto be verified, a contents check value by executing encryptionprocessing applying the contents check value generation key to a valueobtained by carrying out an exclusive-OR in units of a predeterminednumber of bytes on the entire decrypted statement obtained by decryptionprocessing of parts to be verified in the case where the parts to beverified is encrypted, and generating a contents check value byexecuting encryption processing applying the contents check valuegeneration key to a value obtained by carrying out an exclusive-OR inunits of a predetermined number of bytes on the entire part to beverified in the case where the part to be verified is not encrypted.

[0166] Furthermore, another embodiment of the data processing method ofthe present invention is characterized by using, when the contents blockdata contains a plurality of parts and it is a plurality of parts thatneeds to be verified, as a contents check value, the result obtained byexecuting encryption processing further applying the contents checkvalue generation key to link data of a parts check value obtained byexecuting encryption processing applying the contents check valuegeneration key to each part.

[0167] Furthermore, another embodiment of the data processing method ofthe present invention further comprises a step of storing contents datacontaining contents block data whose validity has been verified.

[0168] Furthermore, another embodiment of the data processing method ofthe present invention is characterized in that when collation is notestablished in the collation processing on a contents check value, thecontrol section stops storage in the recording device.

[0169] Furthermore, another embodiment of the data processing method ofthe present invention further comprises a step of reproducing data whosevalidity has been verified.

[0170] Furthermore, another embodiment of the data processing method ofthe present invention is characterized by stopping reproductionprocessing when collation is not established in the collation processingon a contents check value.

[0171] A twenty third aspect of the present invention is a contents dataverification value assignment method for contents data verificationprocessing, characterized by generating a contents check value in unitsof contents block data to be verified included in the data, assigningthe contents check value generated to contents data containing thecontents block data to be verified.

[0172] Furthermore, another embodiment of the contents data verificationvalue assignment method of the present invention is characterized inthat the contents check value is generated through encryption processingapplying the contents check value generation key using the contentsblock data to be checked as a message.

[0173] Furthermore, another embodiment of the contents data verificationvalue assignment method of the present invention is characterized inthat the contents check value is generated by generating a contentsintermediate value based on the contents block data to be verified andexecuting encryption processing applying the contents check valuegeneration key to the contents intermediate value.

[0174] Furthermore,, another embodiment of the contents dataverification value assignment method of the present invention ischaracterized in that the contents check value is generated by executingencryption processing in CBC mode on the contents block data to beverified.

[0175] Furthermore, another embodiment of the contents data verificationvalue assignment method of the present invention is characterized inthat the encryption processing configuration in CBC mode is aconfiguration in which common key encryption processing is applied aplurality of times only to part of a message string to be processed.

[0176] Furthermore, another embodiment of the contents data verificationvalue assignment method of the present invention is characterized bygenerating, when the contents block data contains a plurality of partsand some parts included in the contents block data are to be verified, acontents check value based on the parts to be verified and assigning thecontents check value generated to contents data containing the contentblock data to be verified.

[0177] Furthermore, another embodiment of the contents data verificationvalue assignment method of the present invention is characterized bygenerating, when the contents block data contains a plurality of partsand it is one part that needs to be verified, a contents check value byexecuting encryption processing applying the contents check valuegeneration key to a value obtained by carrying out an exclusive-OR inunits of a predetermined number of bytes on the entire decryptedstatement obtained by decryption processing of parts to be verified inthe case where the parts to be verified is encrypted, generating acontents check value by executing encryption processing applying thecontents check value generation key to a value obtained by carrying outan exclusive-OR in units of a predetermined number of bytes on theentire part to be verified in the case where the parts to be verified isnot encrypted and assigning the contents check value generated to thecontents data containing the contents block data to be verified.

[0178] Furthermore, another embodiment of the contents data verificationvalue assignment method of the present invention is characterized byusing, when the contents block data contains a plurality of parts and itis a plurality of parts that needs to be verified, as a contents checkvalue, the result obtained by executing encryption processing furtherapplying the contents check value generation key to link data of a partscheck value obtained by executing encryption processing applying thecontents check value generation key to each part and assigning thecontents check value generated to contents data containing the contentsblock data to be verified.

[0179] A twenty fourth aspect of the present invention is a programsupply medium that supplies a computer program to execute dataprocessing on contents data supplied via a recording medium orcommunication medium, with the computer program comprising a step ofgenerating a contents check value in units of contents block data to beverified included in the data, and a step of executing collationprocessing on the contents check value generated and thereby executingverification processing on the validity in units of contents block datain the data.

[0180] A twenty fifth aspect of the present invention is a dataprocessing apparatus for executing processing for generating storingdata with respect to a recording device of content data, which has aplurality of content blocks in which at least a part of the blocks areencrypted and a header section storing information on the contentsblocks, which is characterized in that

[0181] in the case in which content data to be an object of storage inthe recording device is structured by data stored in the header section,which is an encryption key data Kdis[Kcon] that is an encryption keyKcon of the content block applied encryption processing by an encryptionkey Kdis,

[0182] the data processing apparatus has a structure for executingprocessing for taking out the encryption key data Kdis[Kcon] from theheader section and executing decryption processing to generatedecryption data Kcon, generating a new encryption key data Kstr[Kcon]that is applied encryption processing by an encryption key Kstr andstoring the new encryption key data Kstr[Kcon] in the header section ofthe content data, and applying a different encryption key Kstr to thegenerated decryption data Kcon to execute encryption processing.

[0183] A twenty sixth aspect of the present invention is a dataprocessing apparatus for executing processing for generating storingdata with respect to a recording device of content data, which has aplurality of content blocks in which at least a part of the blocks areencrypted and a header section storing information on the contentsblocks, which is characterized in that: in the case in which the contentblock included in content data to be an object of storage with respectto the recording device is composed of contents encrypted by anencryption key Kblc and encryption key data Kcon[Kblc] that is encryptedby the encryption key Kcon, and has a structure in which encryption keydata Kdis[Kcon] that is the encryption key Kcon applied encryptionprocessing by an encryption key Kdis is stored in the header section,the data processing apparatus has a structure for executing processingfor taking out the encryption key data Kdis[Kcon] from the headersection and executing decryption processing to generate decryption dataKcon, generating an encryption key data Kstr[Kcon] that is appliedencryption processing by an encryption key Kstr and storing theencryption key data Kstr[Kcon] in the header section of the contentdata, and applying a different encryption key Kstr to the generateddecryption data Kcon to execute encryption processing.

[0184] In addition, a twenty seventh aspect of the present invention isa data processing apparatus for executing processing for generatingstoring data with respect to a recording device of content data, whichhas a plurality of content blocks in which at least a part of the blocksare encrypted and a header section storing information on the contentsblocks, characterized in that: in the case in which the content blockincluded in content data to be an object of storage with respect to therecording device is composed of contents encrypted by an encryption keyKblc and encryption key data Kdis[Kblc] that is encrypted by theencryption key Kdis, the data processing apparatus has a structure forexecuting processing for taking out the encryption key data Kdis[Kblc]from the content block section and executing decryption processing ofthe encryption key Kblc to generate decryption data Kblc, generating anencryption key data Kstr[Kblc] that is applied encryption processing byan encryption key Kstr and storing the encryption key data Kstr[Kblc] ina contents block section, and applying a different encryption key Kstrto the generated decryption data Kblc to execute encryption processing.

[0185] In addition, a twenty eighth aspect of the present invention is acontent data generating method for generating content data, whichcomprises: coupling a plurality of content blocks composed of dataincluding at least any one of voice information, image information andprogram data; applying encryption processing to at least a part ofcontent blocks included in the plurality of content blocks by anencryption key Kcon; generating encryption key data Kdis[Kcon] that isthe encryption key Kcon applied encryption processing by an encryptionkey Kdis and storing the encryption key Kdis in a header section of thecontent data; and generating content data including the plurality ofcontent blocks and the header section.

[0186] In addition, an embodiment of the content data generating methodof the present invention is characterized by further comprisingprocessing for generating block information storing informationincluding identification information of content data, data length ofcontent data, usage policy information including data types of contentdata, data length of the content block, and presence or absence ofencryption processing, and storing the block information in the headersection.

[0187] In addition, an embodiment of the content data generating methodof the present invention is characterized in that the content datagenerating method comprises processing for further generating a partcheck value based on a part of information composing the header sectionand storing the part check value in the header section, and furthergenerating a total check value based on the part check value and storingthe total check value in the header section.

[0188] In addition, an embodiment of the content data generating methodof the present invention is characterized in that the generationprocessing of the part check value and the generation processing of thetotal check value applies and executes a DES encryption processingalgorithm with data to be an object of check as a message and a checkvalue generating key as an encryption key.

[0189] In addition, an embodiment of the content data generating methodof the present invention is characterized in that the content datagenerating method further applies encryption processing to the blockinformation by the encryption key Kbit, and stores the encryption keydata Kdis[Kbit] that is the encryption key Kbit generated by theencryption key Kdis in the header section.

[0190] In addition, an embodiment of the content data generating methodof the present invention is characterized in that each block of theplurality of blocks in the content block is generated as a common fixeddata length.

[0191] In addition, an embodiment of the content data generating methodof the present invention is characterized in that each block of theplurality of blocks in the content block is generated with a structurein which an encryption data section and a non-encryption section arearranged regularly.

[0192] A twenty ninth aspect of the present invention is the contentdata generating method for generating content data which comprises:coupling a plurality of content blocks including at least any one ofvoice information, image information and program data; composing atleast a part of the plurality of content blocks by an encryption datasection that is data including at least any one of voice information,image information and program data by an encryption key Kblc, and a setof encryption key data Kcon[Kblc] that is the encryption key Kblc of theencryption data section applied encryption processing by an encryptionkey Kcon; generating encryption key data Kdis[Kcon] that is theencryption key Kcon applied encryption processing by an encryption keyKdis and storing the generated the encryption key data Kdis[Kcon] in aheader of the content data; and generating content data including aplurality of content blocks and a header section.

[0193] A thirtieth aspect of the present invention is the content datagenerating method for generating content data which comprises: couplinga plurality of content blocks including at least any one of voiceinformation, image information and program data; composing at least apart of the plurality of content blocks by an encryption data sectionthat is data including at least one of voice information, imageinformation and program data by an encryption key Kblc, and a set ofencryption key data Kdis[Kblc] that is the encryption key Kblc of theencryption data section applied encryption processing by an encryptionkey Kdis; and generating content data including a plurality of contentblocks and a header section.

[0194] A thirty first aspect of the present invention is a dataprocessing method for executing processing for storing in a recordingdevice content data having a plurality of content blocks in which atleast a part of blocks are encrypted, and a header in which informationon the content blocks is stored, which comprises: in the case in whichcontent data to be an object of storage in the recording device isstructured by data stored in the header section, which is an encryptionkey data Kdis[Kcon] that is an encryption key Kcon of the content blockapplied encryption processing by an encryption key Kdis, taking out theencryption key data Kdis[Kcon] from the header section and executingdecryption processing to generate decryption data Kcon; generating a newencryption key data Kstr[Kcon] that is applied encryption processing byan encryption key Kstr by applying a different encryption key Kstr tothe generated decryption data Kcon to execute encryption processing; andstoring the generated encryption key data Kstr[Kcon] in a header sectionof the content data, and storing the header section in the recordingdevice together with the plurality of content blocks.

[0195] A thirty second aspect of the present invention is a dataprocessing method for executing processing for storing in a recordingdevice content data having a plurality of content blocks in which atleast a part of blocks are encrypted, and a header in which informationon the content blocks is stored, which comprises: in the case in whichthe content block included in content data to be an object of storagewith respect to the recording device is composed of contents encryptedby an encryption key Kblc and encryption key data Kcon[Kblc] that is.encrypted by the encryption key Kcon, and has a structure in whichencryption key data Kdis[Kcon] that is the encryption key Kcon appliedencryption processing by an encryption key Kdis is stored in the headersection, taking out the encryption key data Kdis[Kcon] from the headersection and executing decryption processing to generate decryption dataKcon; generating a new encryption key data Kstr[Kcon] that is appliedencryption processing by an encryption key Kstr by applying a differentencryption key Kstr to the generated decryption data Kcon to executedecryption processing; and storing the generated encryption key dataKstr[Kcon] in a header section of the content data, and storing theheader section in the recording device together with the plurality ofcontent blocks.

[0196] A thirty third aspect of the present invention is a dataprocessing method for executing processing for storing in a recordingdevice content data having a plurality of content blocks in which atleast a part of blocks are encrypted, and a header in which informationon the content blocks is stored, which comprises: in the case in whichthe content block included in content data to be an object of storagewith respect to the recording device is composed of contents encryptedby an encryption key Kblc and encryption key data Kdis[Kblc] that isencrypted by the encryption key Kdis, taking out the encryption key dataKdis[Kblc] from the content block section and executing decryptionprocessing of the encryption key Kblc to generate decryption data Kblc;generating an encryption key data Kstr[Kblc] that is applied encryptionprocessing by an encryption key Kstr by applying a different encryptionkey Kstr to the generated decryption data Kblc to execute decryptionprocessing; and storing the generated encryption key data Kstr[Kblc] ina content block section, and storing the content block section in therecording device together with the plurality of content blocks.

[0197] A thirty fourth aspect of the present invention is a programproviding medium for providing a computer program causing generationprocessing of storing data with respect to a recording device of contentdata, which has a plurality of content blocks in which at least a partof the blocks are encrypted and a header section storing information onthe contents blocks, to be executed on a computer system, which ischaracterized in that: the computer program comprises: in the case inwhich content data to be an object of storage in the recording device isstructured by data stored in the header section, which is an encryptionkey data Kdis[Kcon] that is an encryption key Kcon of the content blockapplied encryption processing by an encryption key Kdis, a step oftaking out the encryption key data Kdis[Kcon] from the header sectionand executing decryption processing to generate decryption data Kcon;generating a new encryption key data Kstr[Kcon] that is appliedencryption processing by an encryption key Kstr by applying a differentencryption key Kstr to the generated decryption data Kcon to executedecryption processing; and storing the generated encryption key dataKstr[Kcon] in a header section of the content data.

[0198] A thirty fifth aspect of the present invention is a dataprocessing apparatus for performing reproduction processing of contentdata provided by a storage medium or a communication medium, which ischaracterized by comprising: a content data analyzing section forexecuting content data analysis of content data including compressedcontents and an expansion processing program of the compressed contents,and executing extraction processing of the compressed contents and theexpansion processing program from the content data; and an expansionprocessing section for executing expansion processing of the contentdata included in the content data using an expansion processing programincluded in the content data obtained as a result of the analysis of thecontent data analyzing section.

[0199] In addition, in one embodiment of the data processing apparatusof the present invention, the data processing apparatus is characterizedby further comprising: a data storing section for storing the compressedcontents that are extracted by the content data analyzing section; and aprogram storing section for storing the expansion processing programextracted by the content data analyzing section, and characterized inthat the expansion processing section has a configuration for executingexpansion processing with respect to the compressed contents stored inthe data storing section by applying the expansion processing programstored in the program storing section to the compressed contents.

[0200] In addition, in one embodiment of the data processing apparatusof the present invention, the data processing apparatus is characterizedin that the contents data analyzing section has a configuration forobtaining a configuration information of content data based on headerinformation included in the content data and performing analysis of thecontent data.

[0201] In addition, in one embodiment of the data processing apparatusof the present invention, the data processing apparatus is characterizedin that reproduction priority information of the compressed contents isincluded in the header information and, if there are a plurality ofcompressed contents that is objects of expansion processing in theexpansion processing section, the expansion processing section has aconfiguration for sequentially executing content expansion processing inaccordance with the priority based on the priority information in theheader information obtained in the content data analyzing section.

[0202] In addition, in one embodiment of the data processing apparatusof the present invention, the data processing apparatus is characterizedby further comprising: displaying means for displaying information ofthe compressed contents that are objects of expansion processing; andinputting means for inputting reproduction contents identification dataselected from the content information displayed on the displaying means,and characterized in that the expansion processing section has aconfiguration for executing expansion processing of the compressedcontents corresponding to the identification data based on thereproduction contents identification data inputted from the inputtingmeans.

[0203] In addition, a thirty sixth aspect of the present invention is adata processing apparatus for performing reproduction processing ofcontent data provided by a storage medium or a communication medium,which is characterized by comprising: a content data analyzing sectionfor receiving content data including either compressed contents orexpansion processing program, distinguishing whether the content datahas the compressed contents or the expansion processing program fromheader information included in the received content data and, at thesame time, if the content data has the compressed contents, obtaining atype of a compressing processing program applied to the compressedcontents from the header information of the content data, and if thecontent data has the expansion processing program, obtaining a type ofthe expansion processing program from the header information of thecontent data; an expansion processing section for executing expansionprocessing of the compressed contents, characterized in that theexpansion processing section has a configuration for selecting anexpansion processing program applicable to the type of the compressionprocessing program of the compressed contents analyzed by the contentdata analyzing section based on the type of the expansion processingprogram analyzed by the content data analyzing section, and executingexpansion processing by the selected expansion processing program.

[0204] In addition, in one embodiment of the data processing apparatusof the present invention, the data processing apparatus is characterizedby further comprising: a data storing section for storing the compressedcontents that are extracted by the content data analyzing section; and aprogram storing section for storing the expansion processing programextracted by the content data analyzing section, and characterized inthat the expansion processing section has a configuration for executingexpansion processing with respect to the compressed contents stored inthe data storing section by applying the expansion processing programstored in the program storing section to the compressed contents.

[0205] In addition, in one embodiment of the data processing apparatusof the present invention, the data processing apparatus is characterizedin that reproduction priority information of the compressed contents isincluded in the header information and, if there are a plurality ofcompressed contents that is objects of expansion processing, contentexpansion processing in the expansion processing section has aconfiguration for sequentially executing content expansion processing inaccordance with the priority based on the priority information in theheader information obtained in the content data analyzing section.

[0206] In addition, in one embodiment of the data processing apparatusof the present invention, the data processing apparatus is characterizedby further comprising retrieving means for retrieving an expansionprocessing program, and characterized in that the retrieving means has aconfiguration for retrieving an expansion processing program applicableto a type of the compression processing program of the compressedcontents analyzed by the content data analyzing section with programstoring means accessible by the data processing apparatus as an objectof retrieval.

[0207] In addition, in one embodiment of the data processing apparatusof the present invention, the data processing apparatus is characterizedby further comprising: displaying means for displaying information ofthe compressed contents that are objects of expansion processing; andinputting means for inputting reproduction contents identification dataselected from the content information displayed on the displaying means,and characterized in that the expansion processing section has aconfiguration for executing expansion processing of the compressedcontents corresponding to the identification data based on thereproduction contents identification data inputted from the inputtingmeans.

[0208] In addition, a thirty seventh aspect of the present invention isa data processing method for performing reproduction processing ofcontent data provided by a storage medium or a communication medium,which is characterized by comprising: a content data analyzing step ofexecuting content data analysis of content data including compressedcontents and an expansion processing program of the compressed contents,and executing extraction processing of the compressed contents and theexpansion processing program from the content data; and an expansionprocessing step of executing expansion processing of the content dataincluded in the content data using an expansion processing programincluded in the content data obtained as a result of the analysis of thecontent data analyzing section.

[0209] In addition, in one embodiment of the data processing method ofthe present invention, the data processing method is characterized byfurther comprising: a data storing step of storing the compressedcontents that are extracted by the content data analyzing section; and aprogram storing step of storing the expansion processing programextracted by the content data analyzing section, and characterized inthat the expansion processing section has a configuration for executingexpansion processing with respect to the compressed contents stored inthe data storing step by applying the expansion processing programstored in the program storing step to the compressed contents.

[0210] In addition, in one embodiment of the data processing method ofthe present invention, the data processing method is characterized inthat the contents data analyzing step obtains a configurationinformation of content data based on header information included in thecontent data and performs analysis of the content data.

[0211] In addition, in one embodiment of the data processing method ofthe present invention, the data processing method is characterized inthat reproduction priority information of the compressed contents isincluded in the header information and, if there are a plurality ofcompressed contents that is objects of expansion processing in theexpansion processing section, the expansion processing step sequentiallyexecutes content expansion processing in accordance with the prioritybased on the priority information in the header information obtained inthe content data analyzing step.

[0212] In addition, in one embodiment of the data processing method ofthe present invention, the data processing method is characterized byfurther comprising: displaying step of displaying information of thecompressed contents that are objects of expansion processing ondisplaying means; and inputting step of inputting reproduction contentsidentification data selected from the content information displayed onthe displaying means, and characterized in that the expansion processingstep executes expansion processing of the compressed contentscorresponding to the identification data based on the reproductioncontents identification data inputted from the inputting step.

[0213] In addition, a thirty eighth aspect of the present invention is adata processing method for performing reproduction processing of contentdata provided by a storage medium or a communication medium, which ischaracterized by comprising: a content data analyzing step of receivingcontent data including either compressed contents or expansionprocessing program, distinguishing whether the content data has thecompressed contents or the expansion processing program from headerinformation included in the received content data and, at the same time,if the content data has the compressed contents, obtaining a type of acompressing processing program applied to the compressed contents fromthe header information of the content data, and if the content data hasthe expansion processing program, obtaining a type of the expansionprocessing program from the header information of the content data; aselecting step of selecting an expansion processing program applicableto the type of the compression processing program of the compressedcontents analyzed in the content data analyzing step based on the typeof the expansion processing program analyzed in the content dataanalyzing step; and an expansion processing step of executing expansionprocessing by the expansion processing program selected in the selectingstep.

[0214] In addition, in one embodiment of the data processing method ofthe present invention, the data processing method is characterized byfurther comprising: a data storing step of storing the compressedcontents that are extracted by the content data analyzing section; and aprogram storing step of storing the expansion processing programextracted by the content data analyzing section, and characterized inthat the expansion processing step executes expansion processing withrespect to the compressed contents stored in the data storing step byapplying the expansion processing program stored in the program storingstep to the compressed contents.

[0215] In addition, in one embodiment of the data processing method ofthe present invention, the data processing method is characterized inthat reproduction priority information of the compressed contents isincluded in the header information and, if there are a plurality ofcompressed contents that is objects of expansion processing, the contentexpansion processing step sequentially executes content expansionprocessing in accordance with the priority based on the priorityinformation in the header information obtained in the content dataanalyzing step.

[0216] In addition, in one embodiment of the data processing method ofthe present invention, the data processing method is characterized bycomprising a retrieving step of retrieving an expansion processingprogram, and characterized in that the retrieving step retrieves anexpansion processing program applicable to a type of the compressionprocessing program of the compressed contents analyzed in the contentdata analyzing step with program storing means accessible by the dataprocessing apparatus as an object of retrieval.

[0217] In addition, in one embodiment of the data processing method ofthe present invention, the data processing method is characterized byfurther comprising: a displaying step of displaying information of thecompressed contents that are objects of expansion processing; and aninputting step of inputting reproduction contents identification dataselected from the content information displayed on the displaying means,and characterized in that the expansion processing step executesexpansion processing of the compressed contents corresponding to theidentification data based on the reproduction contents identificationdata inputted from the inputting means.

[0218] In addition, a thirty ninth aspect of the present invention is acontent data generating method for performing generation processing ofcontent data provided by a storage medium or a communication medium,which is characterized by generating content data in which compressedcontents and an expansion processing program of the compressed contentsare combined.

[0219] In addition, in one embodiment of the content data generatingmethod of the present invention, the content data generating method ischaracterized in that a configuration information of the content data isadded as header information of the content data.

[0220] In addition, in one embodiment of the content data generatingmethod of the present invention, the content data generating method ischaracterized in that reproduction priority information of contentsincluded in the content data as header information of the content data.

[0221] In addition, a fortieth aspect of the present invention is acontent data generating method for performing generation processing ofcontent data provided by a storage medium or a communication medium,which is characterized in that content data is generated in which a typeof content data for identifying whether the content data has compressedcontents or an expansion processing program is added as headerinformation; if the content data has compressed contents, a type of acompression processing program applied to the compressed contents isadded as header information; and if the content data has an expansionprocessing program, a type of an expansion processing program is addedas header information.

[0222] In addition, in one embodiment of the content data generatingmethod of the present invention, the content data generating method ischaracterized in that reproduction priority information of contentsincluded in the content data is added as header information of thecontent data.

[0223] In addition, a forty first aspect of the present invention is aprogram providing medium for providing a computer program that causes acomputer system to execute reproduction processing of content dataprovided by a storage medium or a communication medium, which ischaracterized by comprising: a content data analyzing step of executingcontent data analysis of content data including compressed contents andan expansion processing program of the compressed contents, andexecuting extraction processing of the compressed contents and theexpansion processing program from the content data; and an expansionprocessing step of executing expansion processing of the content dataincluded in the content data using an expansion processing programincluded in the content data obtained as a result of the analysis of thecontent data analyzing section.

[0224] The program providing medium in accordance with the presentinvention is, for example, a medium for providing a computer program ina computer readable form to a general purpose computer system that canexecute various program codes. A form of the medium is a storage mediumsuch as a CD, an FD or an MO, or a transmission medium such as anetwork, and is not specifically limited.

[0225] Such a program providing medium defines a structural orfunctional cooperative relationship between a computer program and aproviding medium for realizing a predetermined function of the computerprogram on a computer system. In other words, a cooperative operation isshown on the computer system by installing the computer program in thecomputer system via the providing medium, and operational effectssimilar to other aspects of the present invention can be obtained.

[0226] Other objects, features, and advantages of the present inventionwill be seen from the detailed explanation based on the embodiment andattached drawings of the present invention described later.

[0227] As described above, according to the data processing apparatusand method and data-verifying-value-imparting method of the presentinvention, partial integrity check values generated as integrity checkvalues for a partial data set containing one or more partial dataobtained by dividing content data into a plurality of pieces are usedfor a collation process to verify the partial data, and apartial-integrity-check-value -verifying integrity check values used toverify a partial integrity check value set comprising a combination of aplurality of partial integrity check values are used for a collationprocess to verify the entirety of a plurality of partial data setscorresponding to a plurality of partial integrity check valuesconstituting a partial integrity check value set. Consequently, comparedto a configuration for imparting a single integrity check value to theentire content data, partial verification is achieved and the entireverification process is efficient due to the use of the partialintegrity check values.

[0228] Further, according to the data processing apparatus and methodand data-verifying-value-imparting method of the present invention, theverification process can be executed depending on how content data areused, for example, whether the data are to be downloaded or reproduced;for example, a verification process for a data portion that is unlikelyto be tampered can be omitted. Therefore, efficient verification isachieved depending on how data are used.

[0229] Furthermore, the data processing apparatus and data processingmethod of the present invention are configured in such a way thatindividual keys necessary to execute encryption processing such as dataencryption, data decryption, data verification, authenticationprocessing and signature processing are not stored in a storage section,master keys to generate these individual keys are stored in the storagesection instead, the encryption processing section of the dataprocessing apparatus extracts the master keys corresponding to theseindividual keys such as encryption keys and authentication keys from thestorage section as required, executes encryption processing applying aDES algorithm, etc. based on the extracted master keys andidentification data of the apparatus or data and generates individualkeys such as an encryption key and authentication key, and therefore thepresent invention eliminates the possibility of the individual keysthemselves leaking from the storage section and enhances the security ofan encryption processing system because acquiring the individual keyswill require a plurality of information pieces such as information ofboth individual key generation algorithm and master keys, identificationdata of the apparatus or data. Moreover, even if an individual key isleaked for some reasons, the range of damage is limited to the range ofthe individual key, which will not lead to collapse of the entiresystem.

[0230] Furthermore, the data processing apparatus, data processingsystem and data processing method of the present invention is configuredin such a way that individual keys are sequentially generated based onthe identification data of the apparatus or data, which eliminates theneed to maintain the list of keys applied to individual apparatuses in acontrol apparatus, facilitating system control as well as enhancing thesecurity.

[0231] Furthermore, according to the data processing apparatus, dataprocessing method and contents data generation method of the presentinvention, illegal device identification data information is stored incontents data, collation between an illegal device list and therecorder/reproducer identifier of the recorder/reproducer attempting touse the contents is executed prior to the use of the contents by therecorder/reproducer, and in the case where the collation result showsthat some entries of the illegal device list match therecorder/reproducer identifier, the subsequent processing, for example,contents data decryption, downloading or reproduction processing, etc.is stopped, thus making it possible to prevent a reproducer, etc. thathas illegally acquired a key from illegally using contents.

[0232] Furthermore, the data processing apparatus, data processingmethod and contents data generation method of the present inventionadopt a configuration allowing the contents data to include check valuestogether for the illegal device list in the content data, making itpossible to prevent tampering of the list itself and provide a contentsdata utilization configuration with enhanced security.

[0233] Furthermore, the data processing apparatus and data processingmethod of the present invention allows a data processing apparatus suchas a recorder/reproducer and PC to store an apparatus-specific key,which is specific to the data processing apparatus and a system commonkey, which is common to other data processing apparatuses using contentsdata, making it possible to process contents according to contentsutilization restrictions. The data processing apparatus selectively usesthese two keys according to contents utilization restrictions. Forexample, in the case where the contents are only available to the dataprocessing apparatus, the key specific to the data processing apparatusis used, while in the case where the contents are also available toother systems, a check value for the contents data is generated andcollation processing is performed using the system common key. It ispossible to decrypt and reproduce the encrypted data only when thecollation is established, thus allowing processing according to contentsutilization restrictions such as contents only available to the dataprocessing apparatus or contents commonly available to the system, etc.

[0234] Furthermore, the data processing apparatus, data processingmethod and contents data verification value assignment method of thepresent invention is configured to generate a contents check value inunits of contents block data, execute collation processing on thecontents check value generated, generate a contents intermediate valuebased on the contents block data to be verified and generate a contentscheck value through encryption processing applying a contents checkvalue generation key, thus allowing efficient verification compared toconventional processing on entire data.

[0235] Furthermore, the data processing apparatus, data processingmethod and contents data verification value assignment method of thepresent invention allows verification in contents block units andsimplified verification processing according to download processing andreproduction processing, etc. providing efficient verification accordingto the mode of use.

[0236] Furthermore, since the data processing apparatus, the contentdata generating method, and the data processing method of the presentinvention is made to have the configuration that is provided with theplurality of content blocks in the content data and enables encryptionprocessing for a unit of each content block, and also have theconfiguration in which the key used for content encryption is furtherencrypted and stored in the header section, even if, for example, aplurality of content blocks exist and blocks requiring encryptionprocessing and blocks not requiring encryption processing are mixed, itbecomes possible to have an arbitrary data structure that couples eachblock.

[0237] In addition, according to the data processing apparatus, the dataprocessing system, and the data processing method of the presentinvention, by making the configuration of the content block to be aregular configuration, for example, a configuration having a uniformdata length, or a configuration in which the encryption block and thenon-encryption (plaintext) block are alternately disposed, decryptionprocessing and the like of the content block can be promptly executed,and encryption content data suitable for processing corresponding tocontents of the content data, for example, reproduction and the like ofmusic data can be provided.

[0238] Furthermore, the data processing apparatus, the data processingmethod and the content data generating method can efficiently executereproduction processing in the case in which contents are compressedvoice data, image data or the like. That is, by making a configurationof content data to be one in which compressed data and an expansionprocessing program are combined, expansion processing, to which anexpansion processing program incidental to compressed content data isapplied, is made possible in the reproduction processing apparatus, anda situation in which the expansion processing program does not exist inthe reproduction processing apparatus and reproduction cannot beperformed can be avoided.

[0239] Moreover, according to the data processing apparatus, the dataprocessing method and the content data generating means, since aconfiguration of content data has a configuration in which thereproduction processing apparatus determines the expansion processingprogram applicable to the compressed content data based on the headerinformation, and the reproduction processing apparatus further retrievesa program applicable from accessible recording media or the like andexecutes expansion processing by making content data to be a combinationof compressed data and the header section storing the type of thecompression processing program, or, if the contents has the expansionprocessing program, a combination of the expansion processing programand the header storing the type of the program, program retrievingprocessing does not need to be executed by a user, and efficientreproduction processing becomes possible.

BRIEF DESCRIPTION OF THE DRAWINGS

[0240]FIG. 1 is a view showing the configuration of a conventional dataprocessing system.

[0241]FIG. 2 is a view showing the configuration of a data processingapparatus to which the present invention is applied.

[0242]FIG. 3 is a view showing the configuration of a data processingapparatus to which the present invention is applied.

[0243]FIG. 4 is a view showing a data format of content data on a mediumor a communication path.

[0244]FIG. 5 is a view showing a usage policy contained in a header ofcontent data.

[0245]FIG. 6 is a view showing block information contained in a headerof content data.

[0246]FIG. 7 is a view showing an electronic signature generating methodusing the DES.

[0247]FIG. 8 is a view showing an electronic signature generating methodusing the Triple DES.

[0248]FIG. 9 is a view useful in explaining the aspect of the TripleDES.

[0249]FIG. 10 is a view showing an electronic signature generatingmethod partly using the Triple DES.

[0250]FIG. 11 is a view showing a process flow of electronic signaturegeneration.

[0251]FIG. 12 is a view showing a process flow of electronic signaturegeneration.

[0252]FIG. 13 is a view useful in explaining a mutual authenticationprocess sequence using a symmetrical cryptography technique.

[0253]FIG. 14 is a view useful in explaining a public key certificate.

[0254]FIG. 15 is a view useful in explaining a mutual authenticationprocess sequence using an asymmetrical cryptography technique.

[0255]FIG. 16 is a view showing a process flow of an encryption processusing elliptic curve cryptography.

[0256]FIG. 17 is a view showing a process flow of a decryption processusing elliptic curve cryptography.

[0257]FIG. 18 is a view showing how data are held on a recording andreproducing device.

[0258]FIG. 19 is a view showing how data are held on a recording device.

[0259]FIG. 20 is a view showing a process flow of mutual authenticationbetween the recording and reproducing device and the recording device.

[0260]FIG. 21 is a view showing the relationship between a master key ofthe recording and reproducing device and a corresponding master key ofthe recording device.

[0261]FIG. 22 is a view showing a process flow of a content downloadprocess.

[0262]FIG. 23 is a view useful in explaining a method for generating anintegrity check value A: ICVa.

[0263]FIG. 24 is a view useful in explaining a method for generating anintegrity check value B: ICVb.

[0264]FIG. 25 is a view useful in explaining a method for generating atotal integrity check value and an integrity check value unique to therecording and reproducing device.

[0265]FIG. 26 is a view showing a format of content data stored in therecording device (localization field=0).

[0266]FIG. 27 is a view showing a format of content data stored in therecording device (localization field=1).

[0267]FIG. 28 is a view showing a process flow of a content reproductionprocess.

[0268]FIG. 29 is a view useful in explaining a method by which therecording device executes commands.

[0269]FIG. 30 is a view useful in explaining a method by which therecording device executes commands in a content storage process.

[0270]FIG. 31 is a view useful in explaining a method by which therecording device executes commands in a content reproduction process.

[0271]FIG. 32 is a view useful in explaining the configuration of acontent data format type 0.

[0272]FIG. 33 is a view useful in explaining the configuration of acontent data format type 1.

[0273]FIG. 34 is a view useful in explaining the configuration of acontent data format type 2.

[0274]FIG. 35 is a view useful in explaining the configuration of acontent data format type 3.

[0275]FIG. 36 is a view useful in explaining a method for generating acontent integrity check value IDVi for the format type 0.

[0276]FIG. 37 is a view useful in explaining a method for generating acontent integrity check value IDVi for the format type 1.

[0277]FIG. 38 is a view useful in explaining a total integrity checkvalue and an integrity check value unique to the recording andreproducing device for the format types 2 and 3.

[0278]FIG. 39 is a view showing a process for downloading a content ofthe format type 0 or 1.

[0279]FIG. 40 is a view showing a process for downloading a content ofthe format type 2.

[0280]FIG. 41 is a view showing a process for downloading a content ofthe format type 3.

[0281]FIG. 42 is a view showing a process for reproducing a content ofthe format type 0.

[0282]FIG. 43 is a view showing a process for reproducing a content ofthe format type 1.

[0283]FIG. 44 is a view showing a process for reproducing a content ofthe format type 2.

[0284]FIG. 45 is a view showing a process for reproducing a content ofthe format type 3.

[0285]FIG. 46 is a view (1) useful in explaining a method by which acontent generator and a content verifier generate integrity check valuesand execute verification using them.

[0286]FIG. 47 is a view (2) useful in explaining a method by which thecontent generator and the content verifier generate integrity checkvalues and execute verification using them.

[0287]FIG. 48 is a view (3) useful in explaining a method by which thecontent generator and the content verifier generate integrity checkvalues and execute verification using them.

[0288]FIG. 49 is a view useful in explaining a method for individuallygenerating various keys using master keys.

[0289]FIG. 50 is a view (example 1) showing an example of a processexecuted by a content provider and a user in conjunction with the methodfor individually generating various keys using master keys.

[0290]FIG. 51 is a view (example 2) showing an example of a processexecuted by the content provider and the user in conjunction with themethod for individually generating various keys using master keys.

[0291]FIG. 52 is a view useful in explaining a configuration forexecuting localization using different master keys.

[0292]FIG. 53 is a view (example 3) showing an example of a processexecuted by the content provider and the user in conjunction with themethod for individually generating various keys using master keys.

[0293]FIG. 54 is a view (example 4) showing an example of a processexecuted by the content provider and the user in conjunction with themethod for individually generating various keys using master keys.

[0294]FIG. 55 is a view (example 5) showing an example of a processexecuted by the content provider and the user in conjunction with themethod for individually generating various keys using master keys.

[0295]FIG. 56 is a view showing a flow of a process for storing acryptography key with the Triple DES applied thereto, using the SingleDES algorithm.

[0296]FIG. 57 is a view showing a content reproduction process flow(example 1) based on priority.

[0297]FIG. 58 is a view showing a content reproduction process flow(example 2) based on priority.

[0298]FIG. 59 is a view showing a content reproduction process flow(example 3) based on priority.

[0299]FIG. 60 is a view useful in explaining a configuration forexecuting a process for decrypting (decompressing) compressed dataduring the content reproduction process.

[0300]FIG. 61 is a view showing an example of the configuration of acontent (example 1).

[0301]FIG. 62 is a view showing a reproduction process flow in theexample 1 of the configuration of the content.

[0302]FIG. 63 is a view showing an example of the configuration of acontent (example 2).

[0303]FIG. 64 is a view showing a reproduction process flow in theexample 2 of the configuration of the content.

[0304]FIG. 65 is a view showing an example of the configuration of acontent (example 3).

[0305]FIG. 66 is a view showing a reproduction process flow in theexample 3 of the configuration of the content.

[0306]FIG. 67 is a view showing an example of the configuration of acontent (example 4).

[0307]FIG. 68 is a view showing a reproduction process flow in theexample 4 of the configuration of the content.

[0308]FIG. 69 is a view useful in explaining a process for generatingand storing save data.

[0309]FIG. 70 is a view showing a process flow for an example(example 1) of the process for storing save data.

[0310]FIG. 71 is a view showing the configuration of a data managingfile (example 1) used during a process for storing and reproducing savedata.

[0311]FIG. 72 is a view showing a process flow for an example(example 1) of the process for reproducing save data.

[0312]FIG. 73 is a view showing a process flow for an example (example2) of the process for storing save data.

[0313]FIG. 74 is a view showing a process flow for an example (example2) of the process for reproducing save data.

[0314]FIG. 75 is a view showing a process flow for an example (example3) of the process for storing save data.

[0315]FIG. 76 is a view showing the configuration of a data managingfile (example 2) used during the process for storing and reproducingsave data.

[0316]FIG. 77 is a view showing a process flow for an example (example3) of the process for reproducing save data.

[0317]FIG. 78 is a view showing a process flow for an example (example4) of the process for storing save data.

[0318]FIG. 79 is a view showing a process flow for an example (example4) of the process for reproducing save data.

[0319]FIG. 80 is a view showing a process flow for an example (example5) of the process for storing save data.

[0320]FIG. 81 is a view showing the configuration of a data managingfile (example 3) used during the process for storing and reproducingsave data.

[0321]FIG. 82 is a view showing a process flow for an example (example5) of the process for reproducing save data.

[0322]FIG. 83 is a view showing a process flow for an example (example6) of the process for storing save data.

[0323]FIG. 84 is a view showing the configuration of a data managingfile (example 4) used during the process for storing and reproducingsave data.

[0324]FIG. 85 is a view showing a process flow for an example (example6) of the process for reproducing save data.

[0325]FIG. 86 is a view useful in explaining a configuration forexcluding invalid content users (revocation).

[0326]FIG. 87 is a view showing a flow of a process (example 1) forexcluding invalid content users (revocation).

[0327]FIG. 88 is a view showing a flow of a process (example 2) forexcluding invalid content users (revocation).

[0328]FIG. 89 is a view useful in explaining the configuration of thesecurity chip (example 1).

[0329]FIG. 90 is a view showing a process flow for a method formanufacturing a security chip.

[0330]FIG. 91 is a view useful in explaining the configuration of thesecurity chip (example 2).

[0331]FIG. 92 is a view showing a flow of a process for writing data inthe security chip (example 2).

[0332]FIG. 93 is a view showing a flow of a process for checking writtendata in the security chip (example 2).

BEST MODE FOR CARRYING OUT THE INVENTION

[0333] The embodiments of the present invention will be described below.The description will proceed in the order of the following items:

[0334] (1) Configuration of Data Processing apparatus

[0335] (2) Content Data Format

[0336] (3) Outline of Cryptography Processes Applicable to Present DataProcessing Apparatus

[0337] (4) Configuration of Data Stored in Recording and ReproducingApparatus

[0338] (5) Configuration of Data Stored in Recording Device

[0339] (6) Mutual Authentication Process between Recording andReproducing Device and-Recording Device

[0340] (6-1) Outline of Mutual Authentication Process

[0341] (6-2) Switching to Key Block during Mutual Authentication

[0342] (7) Process for Downloading from Recording and Reproducing Deviceto Recording Device

[0343] (8) Process Executed by Recording and Reproducing Device toReproduce Information from Recording Device

[0344] (9) Key Exchanging Process after Mutual Authentication

[0345] (10) Plural Content Data Formats and Download and ReproductionProcesses Corresponding to Each Format

[0346] (11) Aspect of Process Executed by Content Provider to GenerateCheck Values (ICV)

[0347] (12) Cryptography Process Key Generating Configuration Based onMaster Key

[0348] (13) Controlling Cryptography Intensity in Cryptography Process

[0349] (14) Program Activating Process Based on Activation Priority inHandling Policy in Content Data

[0350] (15) Content Configuration and Reproduction (Decompression)Process

[0351] (16) Process for Generating and storing Saved Data in RecordingDevice and Reproducing the Same therefrom

[0352] (17) Configuration for Excluding (Revoking) Illegal Apparatuses

[0353] (18) Secure Chip Configuration and Manufacturing Method therefor

[0354] (1) Configuration of Data Processing Apparatus

[0355]FIG. 2 shows a block diagram showing the general configuration ofone embodiment of a data processing apparatus according to the presentinvention Main components of the data processing apparatus are arecording and reproducing device 300 and a recording device 400.

[0356] The recording and reproducing device 300 comprises, for example,a personal computer (PC), a game apparatus, or the like. The recordingand reproducing device 300 has a control section 301 for carrying outunifying control including the control of communication between therecording and reproducing device 300 and the recording device 400 duringa cryptography process in the recording and reproducing device 300, arecording and reproducing device cryptography process section 302responsible for the whole cryptography process, a recording devicecontroller 303 for executing an authentication process with therecording device 400 connected to the recording and reproducing deviceto read and write data, a read section 304 for at least reading datafrom a medium 500 such as a DVD, and a communication section 305 fortransmitting and receiving data to and from the exterior, as shown inFIG. 2.

[0357] The recording and reproducing device 300 downloads and reproducescontent data to and from the recording device 400 controlled by thecontrol section 301. The recording device 400 is a storage medium thatcan preferably be installed in and removed from the recording andreproducing device 300, for example, a memory card, and has an externalmemory 402 comprising a non-volatile memory such as an EEPROM or a flashmemory, a hard disk, or a RAM with batteries.

[0358] The recording and reproducing device 300 has a read section 304as an interface to which content data stored in the storage medium shownat the left end of FIG. 2, that is, a DVD, a CD, an FD, or an HDD can beinput, and a communication section 305 as an interface to which contentdata distributed from a network such as the Internet can be input, inorder to receive an input of a content from the exterior.

[0359] The recording and reproducing device 300 has a cryptographyprocess section 302 to execute an authentication process, an encryptionand a decryption processes, a data verification process, and otherprocesses in downloading content data externally input via the readsection 304 or the communication section 305, to the recording device400 or reproducing and executing content data from the recording device400. The cryptography process section 302 comprises a control section306 for controlling the entire cryptography process section 302, aninternal memory 307 holding information such as keys for thecryptography process and which has been processed so as to prevent datafrom being externally read out therefrom easily, and anencryption/decryption section 308 for executing the encryption anddecryption processes, generating and verifying authentication data,generating random numbers, etc.

[0360] The control section 301 transmits an initialization command tothe recording device 400 via the recording device controller 303 when,for example, the recording device 400 is installed in the recording andreproducing device 300, or execute a mediation process for variousprocesses such as a mutual authentication between theencryption/decryption section 308 of the recording and reproducingdevice cryptography process section 302 and the encryption/decryptionsection 406 of the recording device cryptography process section 401, aintegrity check value collating process, and encryption and decryptionprocesses. Each of these processes will be described in detail in thelatter part.

[0361] The cryptography process section 302 executes the authenticationprocess, the encryption and decryption processes, the data verifyingprocess, and other processes, as previously described, and has thecryptography process control section 306, the internal memory 307, andthe encryption/decryption section 308. The cryptography process controlsection 306 executes control of the whole cryptography process such asthe authentication process and the encryption/decryption processesexecuted by the recording and reproducing device 300, for example,processes of setting an authentication completion flag when theauthentication process executed between the recording and reproducingdevice 300 and the recording device 400 has completed, commanding theexecution of various processes executed in the encryption/decryptionsection 308 of the recording and reproducing section cryptographyprocess section 302, for example, a download process and a process forgenerating integrity check values for reproduced content data, andcommanding the execution of a process for generating various key data.

[0362] The internal memory 307 stores key data, identification data, andother data required for various processes such as the mutualauthentication process, the integrity check value collating process, andthe encryption and decryption processes which are executed in therecording and reproducing device 300, as described later in detail.

[0363] The encryption/decryption section 308 uses key data and the likestored in the internal memory 307 to execute the authentication process,the encryption and decryption processes, the generation and verificationof predetermined integrity check values or electronic signatures, theverification of data, the generation of random numbers, etc. indownloading externally input content data to the recording device 400 orreproducing and executing content data stored in the recording device400.

[0364] In this case, the internal memory 307 of the recording andreproducing device cryptography process section 302 holds importantinformation such as cryptography keys and must thus be configured so asnot to have its data externally read out easily. Thus, the cryptographyprocess section is configured as a tamper resistant memory characterizedto restrain external invalid reads in that it comprises a semiconductorchip that essentially rejects external accesses and has a multilayerstructure, an internal memory sandwiched between dummy layers ofaluminum or the like or arranged in the lowest layer, and a narrow rangeof operating voltages and/or frequencies. This configuration will bedescribed later in detail.

[0365] In addition to these cryptography process functions, therecording and reproducing device 300 comprises a main Central ProcessingUnit (CPU) 106, a RAM (Random Access Memory) 107, a ROM (Read OnlyMemory) 108, an AV process section 109, an input interface 110, a PIO(Parallel I/O) interface 111, and a SIO (Serial I/O) interface 112.

[0366] The main Central Processing Unit (CPU) 106, the RAM (RandomAccess Memory) 107, and the ROM (Read Only Memory) 108 are a componentfunctioning as a control system for the main body of the recording andreproducing device 300, and principally functions as a reproductionprocess section for reproducing data decrypted by the recording andreproducing device cryptography process section 302. For example, themain Central Processing Unit (CPU) 106 executes control for thereproduction and execution of contents, such as output of content dataread out from the recording device and then decrypted, to the AV processsection 109 under the control of the control section 301.

[0367] The RAM 107 is used as a main storage memory for variousprocesses executed by the CPU 106 and as a working area for theseprocesses. The ROM 108 stores a basic program for starting up an OS orthe like activated by the CPU 106, and other data.

[0368] The AV process section 109 has a data compression anddecompression process mechanism, specifically, an MPEG2 decoder, anATRAC decoder, an MP3 decoder, or the like, to execute processes fordata outputs to a data output apparatus such as a display or speakers(not shown) attached or connected to the recording and reproducingdevice main body.

[0369] The input interface 110 outputs input data from various connectedinput means such as a controller, a keyboard, and a mouse, to the mainCPU 106. The main CPU 106 executes a process in accordance with acommand issued by a user via the controller, based on a game programbeing executed or the like.

[0370] The PIO (Parallel I/O) interface 111 and the SIO (Serial I/O)interface 112 are used as storage devices for a memory card or a gamecartridge and as a connection interface to a portable electronic deviceor the like.

[0371] The main CPU 106 also executes control in storing as saved data,setting data or the like for a game being executed or the like. Duringthis process, stored data-are transferred to the control section 301,which causes the cryptography process section 302 to execute acryptography process for the saved data as required and then stores theencrypted data in the recording device 400. These cryptography processeswill be described later in detail.

[0372] The recording device 400 is a storage medium that can preferablybe installed in and removed from the recording and reproducing device300, and comprises, for example, a memory card. The recording device 400has the cryptography process section 401 and the external memory 402.

[0373] The recording device cryptography process section 401 executesthe mutual authentication process, encryption and decryption processes,data verification process, and other processes between the recording andreproducing device 300 and the recording device 400 in downloadingcontent data from the recording and reproducing device 300 orreproducing content data from the recording device 400 to the recordingand reproducing device 300, and has a control section, an internalmemory, an encryption/decryption section, and others similarly to thecryptography process section of the recording and reproducing device300. The details will be shown in FIG. 3. The external memory 402comprises a non-volatile memory comprising a flash memory such as anEEPROM, a hard disk, or a RAM with batteries, or the like, to storeencrypted content data or the like.

[0374]FIG. 3 is a view schematically showing the configuration of datainput from a medium 500 and a communication means 600 that are dataproviding means from which the data processing apparatus according tothe present invention receives data, and focusing on the configurationsof the recording and reproducing device 300 receiving an input of acontent from the content providing means 500 or 600 and of arrangementsfor the cryptography process in the recording device 400.

[0375] The medium 500 is, for example, an optical disk medium, amagnetic disk medium, a magnetic tape medium, a semiconductor medium, orthe like. The communication means 600 is capable of data communicationsuch as Internet, cable, or satellite communication.

[0376] In FIG. 3, the recording and reproducing device 300 verifies datainput by the medium 500 or the communication means 600, that is, acontent meeting a predetermined format as shown in FIG. 3, and storedthe verified content in the recording device 400.

[0377] As shown in the sections of the medium 500 and communicationmeans 600 in FIG. 3, the content data has the following components:

[0378] Content ID: content ID as an identifier for content data.

[0379] Usage policy: a usage policy containing constituent informationof content data, for example, the sizes of a header section and acontent section constituting the content data, a format version, acontent type indicating whether the content is a program or data, alocalization field indicating whether the content can be used only in anapparatus that has downloaded the content or also in other apparatuses.

[0380] Block information table: block information table comprising thenumber of content blocks, a block size, an encryption flag indicatingthe presence of encryption, and others.

[0381] Key data: key data comprising an encryption key for encryptingthe above described block information table, a content key forencrypting a content block, or the like.

[0382] Content bloc: content block comprising program data, music orimage data, or other data to be actually reproduced.

[0383] The content data will be explained later in further detail withreference to FIG. 4 and subsequent figures.

[0384] The content data are encrypted by the content key (hereafterreferred to as the “Knon”) and then provided to the recording andreproducing device 300 from the medium 500 or the communication means600. The content can be stored in the external memory of the recordingdevice 400 via the recording and reproducing device 300.

[0385] For example, the recording device 400 uses a key (hereafterreferred to as a “storage key” (Kstr)) unique thereto stored in theinternal memory 405 thereof to encrypt the content contained in thecontent data, the block information table contained in the content dataas header information, information on various keys such as the contentkey Kcon before storing these data in the external memory 402. Todownload the content data from the recording and reproducing device 300to the recording device 400 or allow the recording and reproducingdevice 300 to reproduce the content data stored in the recording device400, predetermined procedures such as a mutual authentication processbetween the apparatuses and content data encrypting and decryptingprocesses are required. These processes will be explained later indetail.

[0386] The recording device 400 has the cryptography process-section 401and the external memory 402, and the cryptography process section 401has a control section 403, a communication section 404, the internalmemory 405, an encryption/decryption section 406, and an external memorycontrol section 407.

[0387] The recording device 400 is responsible for the wholecryptography process, controls the external memory 402, and comprisesthe recording device cryptography process section 401 for interpreting acommand from the recording and reproducing device 300 and executing aprocess, and the external memory 402 holding contents or the like.

[0388] The recording device cryptography process section 401 has thecontrol section 403 for controlling the entire recording devicecryptography process section 401, the communication section 404 fortransmitting and receiving data to and from the recording andreproducing device 300, the internal memory 405 holding information suchas keys for the cryptography process and which has been processed so asto prevent data from being externally read out therefrom easily, theencryption/decryption section 406 for executing the encryption anddecryption processes, generating and verifying authentication data,generating random numbers, etc, and the external memory control section407 for reading and writing data from and to the external memory 402.

[0389] The control section 403 executes control of the wholecryptography process such as the authentication process and theencryption/decryption processes executed by the recording device 400,for example, processes of setting an authentication completion flag whenthe authentication process executed between the recording andreproducing device 300 and the recording device 400 has completed,commanding the execution of various processes executed in theencryption/decryption section 406 of the cryptography process section401, for example, a download process and a process for generatingintegrity check values for reproduced content data, and commanding theexecution of a process for generating various key data.

[0390] The internal memory 405 comprises a memory having a plurality ofblocks to store a plurality of sets of key data, identification data, orother data which are required for various processes such as the mutualauthentication process, integrity check value collating process, andencryption and decryption process which are executed by the recordingdevice 400, as described later in detail.

[0391] The internal memory 405 of the recording device cryptographyprocess section 401, like the internal memory 307 of the recording andreproducing device cryptography process section 302 previouslydescribed, holds important information such as cryptography keys andmust thus be configured so as not to have its data externally read outeasily. Thus, the cryptography process section 401 of the recording andreproducing device 400 is characterized to restrain external invalidreads in that it comprises a semiconductor chip that essentially rejectsexternal accesses and has a multilayer structure, an internal memorysandwiched between dummy layers of aluminum or the like or arranged inthe lowest layer, and a narrow range of operating voltages and/orfrequencies. In this regard, the recording and reproducing devicecryptography process section 302 may be software configured so as toprevent secret information for keys from leaking easily to the exterior.

[0392] The encryption/decryption section 406 uses key data or the likestored in the internal memory 405 to execute the data verifying process,the encryption and decryption processes, the generation and verificationof predetermined integrity check values or electronic signatures, thegeneration of random numbers, etc. in downloading content data from therecording and reproducing device 300, reproducing content data stored inthe external memory 402 of the recording device 400, or executing mutualauthentication between the recording and reproducing device 300 and therecording device 400.

[0393] The communication section 404 is connected to the recordingdevice controlled 303 of the recording and reproducing device 300 todownload or reproduce content data or communicate transfer data betweenthe recording and reproducing device 300 and the recording device 400during the mutual authentication process according to the control of thecontrol section 301 of the recording and reproducing device 300, or thecontrol of the control section 403 of the recording device 400.

[0394] (2) Content Data Format

[0395] Next, by using FIG. 4 to FIG. 6, the data format of data storedin the medium 500 of the system according to the present invention orcommunicated on the data communication means 600 will be explained.

[0396] The configuration shown in FIG. 4 shows the format of the entirecontent data, the configuration shown in FIG. 5 shows details of the“usage policy” partly constituting the header section of the contentdata, and the configuration shown in FIG. 6 shows details of the “blockinformation table” partly constituting the header section of thecontent.

[0397] A representative example of the data format applied to the systemaccording to the present invention will be explained, but differenttypes of data formats such as formats corresponding to game programs andformats suitable for real-time processing of music data or the like canbe used for the present system. The aspects of these formats will bedescribed later in further detail, in “(10) Plural Content Data Formatsand Download and Reproduction Processes Corresponding to Each Format”.

[0398] In the data format shown in FIG. 4, items shown in gray indicateencrypted data, items enclosed by double frames indicate tamper checkdata, and the other items shown in white indicate plain text data thatare not encrypted. Encryption keys of the encryption section are shownon the left of the frames. In the example shown in FIG. 4, some of theblocks (content block data) of the content section contain encrypteddata, while the others contain non-encrypted data. This form variesdepending on the content data, and all the content block data containedin the data may be encrypted.

[0399] As shown in FIG. 4, the data format is divided into the headersection and the content section, and the header section comprises acontent ID, a usage policy, an integrity check value A (hereafterreferred to as “ICVa”), a block information table key (hereafterreferred to as “Kbit”), a content key Kcon, a block information table(hereafter referred to as “BIT”), an integrity check value B (ICVb), anda total integrity check value (ICVt), and the content section comprisesa plurality of content blocks (for example, encrypted and non-encryptedcontents).

[0400] In this case, the individual information indicates a content IDfor identifying a content. The usage policy comprises a header lengthindicating the size of the header section, a content length indicatingthe size of the content section, a format version indicating versioninformation for the format, a format type indicating the type of theformat, a content type indicating the type of the content, that is,whether it is a program or data, an operation priority indicating apriority for activation if the content type is a program, a localizationfield indicating whether the content downloaded in accordance with thisformat can be used only in an apparatus that has downloaded the contentor also in other similar apparatuses, a copy permission indicatingwhether the content downloaded in accordance with this format can becopied from the apparatus that has downloaded the content to anothersimilar apparatus, a move permission indicating whether the contentdownloaded in accordance with this format can be moved from theapparatus that has downloaded the content to another similar apparatus,an encryption algorithm indicating an algorithm used to encrypt contentblocks in the content section, an encryption mode indicating a methodfor operating the algorithm used to encrypt the content in the contentsection, and an integrity check method indicating a method forgenerating integrity check values, as shown in detail in FIG. 5.

[0401] The above described data items recorded in the usage policy areonly exemplary and various usage policy information can be recordeddepending on the aspect of corresponding content data. The identifier asdescribed later in detail in, for example, “(17) Configuration forExcluding (Revoking) Illegal Apparatuses”. It is also possible to make aconfiguration so as to exclude the use of content caused by the illegalapparatus by recording the content of an illegal recording andreproducing apparatus as data and by checking the time of starting theuse.

[0402] The integrity check value A ICVa is used to verify that thecontent ID or the usage policy has not been tampered. It functions as acheck value for partial data instead of the entire content data, thatis, as a partial integrity check value. The data block information tablekey Kbit is used to encrypt a block information table, and the contentkey Kcon is used to encrypt content blocks. The block information tablekey Kbit and the content key Kcon are encrypted with a distribution key(hereafter referred to as “Kdis”) on the medium 500 and thecommunication means 600.

[0403]FIG. 6 shows the block information table in detail. The blockinformation table in FIG. 6 comprises data all encrypted with the blockinformation table key Kbit as seen in FIG. 4. The block informationtable comprises a block number indicating the number of content blocksand information on N content blocks, as shown in FIG. 6. The contentblock information table comprises a block length, an encryption flagindicating whether or not the block ash been encrypted, an ICV flagindicating whether or not integrity check values must be calculated, anda content integrity check value (ICVi).

[0404] The content integrity check value is used to verify that eachcontent block has not been tampered. A specific example of a method forgenerating a content integrity check value will be explained later in“(10) Plural Content Data Formats and Download and ReproductionProcesses Corresponding to Each Format”. The block information table keyKbit used to encrypt the block information table is further encryptedwith the distribution key Kdis.

[0405] The data format in FIG. 4 will be continuously described. Theintegrity check value B ICVb is used to verify that the blockinformation table key Kbit, the content key Kcon, and the blockinformation table have not been tampered. It functions as a check valuefor partial data instead of the entire content data, that is, as apartial integrity check value. The total integrity check value ICVt isused to verify the integrity check values ICVa and ICVb, integrity checkvalues ICVi for each content block (if this has been set), partialintegrity check values thereof, or all the data to be checked have notbeen tampered.

[0406] In FIG. 6, the block length, the encryption flag, and the ICVflag can be arbitrarily set, but certain rules may be established. Forexample, encrypted- and plain-text areas may be repeated over a fixedlength, all the content data may be encrypted, or the block informationtable BIT may be compressed. Additionally, to allow different contentkeys Kcon to be used for different content blocks, the content key Kconmay be contained in the content block instead of the header section.Examples of the content data format will be described in further detailin “(10) Plural Content Data Formats and Download and ReproductionProcesses Corresponding to Each Format”.

[0407] (3) Outline of Cryptography Processes Applicable to Present DataProcessing Apparatus

[0408] Next, the aspects of various cryptography processes applicable tothe data processing apparatus according to the present invention will beexplained. The description of the cryptography processes shown in “(3)Outline of Cryptography Processes Applicable to Present Data ProcessingApparatus” correspond to an outline of the aspect of a cryptographyprocess on which are based various processes executed by the presentdata processing apparatus which will be specifically described later,for example, “a. authentication process between recording andreproducing device and recording device”, “b. download process fordevice for loading contents”, and “c. process for reproducing contentstored in recording device”. Specific processes executed by therecording and reproducing device 300 and the recording device 400 willbe each described in detail in the item (4) and subsequent items.

[0409] An outline of the cryptography process applicable to the dataprocessing apparatus will be described in the following order:

[0410] (3-1) Message Authentication Based on Common Key Cryptosystem

[0411] (3-2) Electronic Signature Based on Public Key Cryptosystem

[0412] (3-3) Verification of Electronic Signature Based on Public KeyCryptosystem

[0413] (3-4) Mutual Authentication Based on Common Key Cryptosystem

[0414] (3-5) Public Key Certificate

[0415] (3-6) Mutual Authentication Based on Public Key Cryptosystem

[0416] (3-7) Encryption Process Using Ecliptic Curve Cryptography

[0417] (3-8) Decryption Process Using Ecliptic Curve Cryptography

[0418] (3-9) Random Number Generating Process

[0419] (3-1) Message Authentication Based on Common Key Cryptosystem

[0420] First, a process for generating tamper detecting data using acommon key cryptography method will be explained. The tamper detectingdata are added to data to be detected for tamper in order to check fortamper and authenticate a creator.

[0421] For example, the integrity check values A and B and totalintegrity check value in the data structure described in FIG. 4 whichare enclosed by double frames, the content check value stored in eachblock in the block information table shown in FIG. 6, and the like aregenerated as the tamper detecting data.

[0422] Here, the use of the DES, which is a common key cryptosystem,will be explained as an example of a method for generating andprocessing electronic signature data. In addition to the DES, thepresent invention may use, for example, the FEAL (Fast EnciphermentAlgorithm or the AES (Advance Encryption Standard) (U.S. next-termstandard cryptography) as a similar process based on a common keycryptosystem.

[0423] A method for generating an electronic signature using a generalDES will be explained with reference to FIG. 7. First, before generatingan electronic signature, a message to which the electronic signature isto be added is divided into sets of 8 bytes (the pieces of the dividedmessage are hereafter referred to as “M1, M2, . . . , MN”). An initialvalue (hereafter referred to as “IV”) and the MI are exclusive-ORed (theresult is referred to as “11”). Next, the 11 is input to a DESencrypting section, which encrypts it using a key (hereafter referred toas “K1”) (the output is referred to as “E1”). Subsequently, the E1 andthe M2 are exclusive-ORed, and the output I2 is input to the DESencrypting section, which encrypts it using the key K1 (the output isreferred to as “E2”). This process is repeated to encrypt all themessages obtained by means of the division. The final output EN is anelectronic signature. This value is generally called a “MAC (MessageAuthentication Code)” used to check a message for tamper. In addition,such a system for chaining encrypted texts is called a “CBC (CipherBlock Chaining) mode”.

[0424] The MAC value output in the example of generation shown in FIG. 7can be used as the integrity check value A or B or total integrity checkvalue in the data structure shown in FIG. 4 which is enclosed by doubleframes and the content check value ICV1 to ICVN stored in each block inthe block information table shown in FIG. 6. In verifying the MAC value,a verifier generates it using a method similar to that used tooriginally generate it, and the verification is determined to besuccessful if the same value is obtained.

[0425] Moreover, in the example shown in FIG. 7, the initial value IV isexclusive-ORed with the first 8-byte message M1, but the initial valueIV may be zero and not exclusive-ORed.

[0426]FIG. 8 shows the configuration of a method for generating the MACvalue which has improved security compared to the MAC value generatingmethod shown in FIG. 7. FIG. 8 shows an example where instead of theSingle DES in FIG. 7, the Triple DES is used to generate the MAC value.

[0427]FIGS. 9A and 9B show an example of a detailed configuration ofeach of the Triple DES component shown in FIG. 8. There are twodifferent aspects of the configuration of the Triple DES as shown inFIG. 9. FIG. 9(a) shows an example using two cryptography keys whereprocessing is carried out in the order of an encryption process with akey 1, a decryption process with a key 2, and an encryption process withthe key 1. The two types of keys are used in the order of K1, K2, andK1. FIG. 9(b) shows an example using three cryptography keys whereprocessing is carried out in the order of an encryption process with thekey 1, an encryption process with the key 2, and an encryption processwith a key 3. The three types of keys are used in the order of K1, K2,and K3. The plurality of processes are thus continuously executed toimprove security intensity compared to the Single DES. The Tripled DESconfiguration, however, has the disadvantage of requiring an amount ofprocessing time three times as large as that for the Single DES.

[0428]FIG. 10 shows an example of a MAC value generating configurationobtained by improving the Triple DES configuration described in FIGS. 8and 9. In FIG. 10, the encryption process for each of the messages frombeginning to end of a message string to which a signature is to be addedis based on the Single DES, while only the encryption process for thelast message is based on the Triple DES configuration shown in FIG.9(a).

[0429] The configuration shown in FIG. 10 reduces the time required togenerate the MAC value for the message down to a value almost equal tothe time required for the MAC value generating process based on theSingle DES, with security improved compared to the MAC value based onthe Single DES. Moreover, the Triple DES configuration for the lastmessage may be as shown in FIG. 9(b).

[0430] (3-2) Electronic Signature Based on Public Key Cryptosystem

[0431] The method for generating electronic signature data if the commonkey encryption system is used as the encryption system has beendescribed, but a method for generating electronic signature data if acommon key cryptosystem is used as the encryption system will bedescribed with reference to FIG. 11. The process shown in FIG. 11corresponds to a process flow of generation of electronic signature datausing the Elliptic Curve Digital Signature Algorithm (EC-DSA), IEEEP1363/D3. An example using the Elliptic Curve Cryptography (hereafterreferred as “ECC”) as public key cryptography will be explained. Inaddition to the elliptic curve cryptography, the data processingapparatus according to the present invention may use, for example, theRSA (Rivest, Shamir, Adleman; ANSI X9.31) cryptography, which is asimilar public cryptosystem.

[0432] Each step in FIG. 11 will be described. At step S1, the followingdefinitions are set: reference symbol p denotes a characteristic, a andb denote coefficients of an elliptic curve (elliptic curve: y²x³+ax+b),G denotes a base point on the elliptic curve, r denotes the digit of theG, and Ks denotes a secret key (0<Ks<r). At step S2, a hash value forthe message M is calculated to obtain f=Hash(M).

[0433] Then, a method for determining a hash value using a hash functionwill be explained. The hash function receives a message as an input,compresses it into data of a predetermined bit length, and outputs thecompressed data as a hash value. The hash value is characterized in thatit is difficult to predict an input from a hash value (output), in thatwhen one bit of data input to the hash function changes, many bits ofthe hash value change, and in that it is difficult to find differentinput data with the same hash value. The hash function may be MD4, MD5,or SHA-1, or DES-CBC similar to that described in FIG. 7 or otherfigures. In this case, the MAC (corresponding to the integrity checkvalue ICV), which is the final output value, is the hash value.

[0434] Subsequently, at step S3, a random number u (0<u<r) is generated,and at step S4, the base point is multiplied by u to obtain coordinatesV (Xv, Yv). An addition and a multiplication by two on the ellipticcurve are defined as follows:

[0435] If P=(Xa, Ya), Q=(Xb, Yb), R=(Xc, YC)=P+Q.

[0436] When P≠Q (addition),

Xc=λ ² −Xa−Xb

Yc=λx(Xa−Xc)−Ya

λ=(Yb−Ya)/(Xb−Xa)

[0437] When P=Q (multiplication by two),

Xc=λ ²−2Xa

Yc=λx(Xa−Xc)−Ya

λ=(3(Xa)² +a)/(2Ya)  (1)

[0438] These are used to multiply the point G by u (although thecalculation speed is low, the most easy-to-understand calculation methodis shown below. G, 2×G, 4×G, . . . is calculated, the u isbinary-expanded, and corresponding 2^(I)×G (value obtained bymultiplying G by 2 i times) is added to bits of 1 (i denotes a bitposition as counted from an LSB).

[0439] At step S5, c=Xvmod r is calculated, and at step S6, isdetermined whether the result is zero. If the result is not zero, thenat step S7, d=[(f+cKs)/u]mod r is calculated, and at step S8, it isdetermined whether d is zero. If the d is not zero, then at step S9, thec and d are output as electronic signature data. When r is assumed todenote the length of 160 bits, the electronic signature data have alength of 320 bits.

[0440] If the c is 0 at step S6, the process returns to step S3 toregenerate a new random number. Similarly, if the d is 0 at step S8, theprocess also returns to step S3 to regenerate a new random number.

[0441] (3-3) Verification of Electronic Signature Based on Public KayCryptosystem

[0442] Next, a method for verifying an electronic signature using thepublic key cryptosystem will be described with reference to FIG. 12. Atstep S11, the following definitions are set: reference symbol M denotesa message, reference symbol p denotes a characteristic, referencesymbols a and b denote elliptic curve coefficients (elliptic curve:y²=x³+ax+b), reference symbol G denotes a base point on the ellipticcurve, reference symbol r denotes the digit of G, and reference symbolsG and Ks×G denote public keys (0<Ks<r). At step S12, it is verified thatthe electronic signature data c and d meet 0<c<r and 0<d<r. If the datameet these conditions, then at step S13, a hash value for the message Mis calculated to obtain f=Hash (M). Next, at step S14, h=1/d mod r iscalculated, and at step S15, h1=fh mod r and h2=ch mod r are calculated.

[0443] At step S16, the already calculated h1 and h2 are used tocalculate P=(Xp, Yp)=h1×G+h2·Ks×G. An electronic-signature verifierknows the public keys G and Ks×G and can thus calculate a scalarmultiplication of a point on the elliptic curve similarly as step S4 inFIG. 11. Then, at step S17, it is determined whether the P is a point atinfinity, and if not, the process proceeds to step S18 (thedetermination of whether the P is a point at infinity can actually bemade at step S16. That is, when P=(X, Y) and Q=(X, −Y) are addedtogether, the λ cannot be calculated, indicating that P+Q is a point atinfinity). At step S18, Xp mod r is calculated and compared with theelectronic signature data c. Finally, if these values are equal, theprocess proceeds to step S19 to determine that the electronic signatureis correct.

[0444] If it is determined that the electronic signature is correct, thedata have not been tampered and that a person holding the secret keycorresponding to the public keys has generated the electronic signature.

[0445] If the signature data c or d do not meet 0<c<r or 0<d<r at stepS12, the process proceeds to step S20. Additionally, if the P is a pointat infinity at step S17, the process also proceeds to step S20. Further,if the value of Xp mod r does not equal the signature data c at stepS18, the process proceeds to step S20.

[0446] If it is determined at step S20 that the signature to beincorrect, this indicates that the received data have been tampered orhave not been generated by the person holding the secret keycorresponding to the public keys.

[0447] (3-4) Mutual Authentication Based on Common Key Cryptosystem

[0448] Next, a mutual authentication method using a common keycryptosystem will be explained with reference to FIG. 13. In thisfigure, the common key cryptosystem is the DES, but any common keycryptosystem similar to that previously described may be used. In FIG.13, B first generates a 64-bit random number Rb and transmits the Rb andits own ID ID(b) to A. On receiving the data, the A generates a new64-bit random number Ra, encrypts the data in the DES CBC mode in theorder of the Ra, Rb, and ID(b) using a key Kab, and returns them to theB. According to the DES CBC mode process configuration shown in FIG. 7,the Ra, Rb, and ID(b) correspond to M1, M2, and M3, and outputs E1, E2,and E3 are encrypted texts when an initial value: IV=0.

[0449] On receiving the data, the B decrypts the received data with thekey Kab. To decrypt the received data, the encrypted test E1 is firstdecrypted with the key Kab to obtain the random number Ra. Then, theencrypted test E2 is decrypted with the key Kab, and the result and theE1 are exclusive-ORed to obtain the Rb. Finally, the encrypted test E3is decrypted with the key Kab, and the result and the E2 areexclusive-ORed to obtain the ID(b). Of the Ra, Rb, and ID(b) thusobtained, the Rb and ID(b) are checked for equality to those transmittedby the B. If they are successfully verified, the B authenticates the A.

[0450] Then, the B generates a session key (hereafter referred to as“Kses”) used after the authentication (this is generated using a randomnumber). The Rb, Ra, and Kses are encrypted in the DES CBC mode in thisorder using the key Kab and then returned to the A.

[0451] On receiving the data, the A decrypts the received data with thekey Kab. The method for decrypting the received data is similar to thatexecuted by the B, so detailed description thereof is omitted. Of theRb, Ra, and Kses thus obtained, the Rb and Ra are checked for equalityto those transmitted by the A. If they are successfully verified, the Aauthenticates the B. After the A and B have authenticated each other,the session key Kses is used as a common key for secret communicationafter the authentication.

[0452] If illegality or inequality is found during the verification ofthe received data, the mutual authentication is considered to havefailed and the process is aborted.

[0453] (3-5) Public Key Certificate

[0454] Next, the public key certificate will be explained with referenceto FIG. 14. The public key certificate is issued by a CertificateAuthority (CA) for the public key cryptosystem. When a user submits hisor her own ID, a public key, and others to the certificate authority, itadds information such as its own ID and valid term to the data submittedby the user and further adds its signature thereto to generate a publickey certificate.

[0455] The public key certificate shown in FIG. 14 contains the versionnumber of the certificate, the sequential number of the certificateallotted to the certificate user by the certificate authority, analgorithm and parameters used for the electronic signature, the name ofthe certificate authority, the valid term of the certificate, the name(user ID) of the certificate user, and the public key and electronicsignature of the certificate user.

[0456] The electronic signature is data generated by applying the hashfunction to the entirety of the version number of the certificate, thesequential number of the certificate allotted to the certificate user bythe certificate authority, the algorithm and parameter used for theelectronic signature, the name of the certificate authority, the validterm of the certificate, the name of the certificate user, and thepublic key of the certificate user, to generate a hash value, and thenusing the secret key of the certificate authority for this value. Forexample, the process flow described in FIG. 11 is applied to thegeneration of the electronic signature.

[0457] The certificate authority issues the public key certificate shownin FIG. 14, updates a public key certificate for which the valid termhas expired, and creates, manages, and distributes an illegal user listto exclude users who has committed an injustice (this is called“revocation”). It also generates public and secret keys as required.

[0458] On the other hand, to use this public key certificate, the useruses the public key of the certificate authority held by itself toverify the electronic signature on the public key certificate, and afterthe electronic signature has been successfully verified, it takes thepublic key out from the public key certificate and uses it. Thus, allusers who use the public key certificate must hold a common public keyof the certificate authority. The method for verifying the electronicauthority has been described in FIG. 12, so detailed description thereofis omitted.

[0459] (3-6) Mutual Authentication Based on Public Key Cryptosystem

[0460] Next, a method for mutual authentication using a 160-bit ellipticcurve cryptography, which is a public key cryptography, will bedescribed with reference to FIG. 15. In this figure, the public keycryptosystem is the ECC, but any similar public key cryptosystem may beused as previously described. In addition, the key size is not limitedto 160 bits. In FIG. 15, the B first generates and transmits the 64-bitrandom number Rb to the A. On receiving the data, the A generates a new64-bit random number Ra and a random number Ak smaller than thecharacteristic p. It then multiplies a base point G by Ak to determine apoint Av=Ak×G, generates an electronic signature A. Sig for the Ra, Rb,and Av (X and Y coordinates), and returns these data to the B togetherwith the A's public key certificate. In this case, since the Ra and Rbeach contain 64 bits and the X and Y coordinates of the Av each contain160 bits, the electronic signature is for the total of 448 bits. Themethod for generating the electronic signature has been described inFIG. 11, so detailed description thereof is omitted. The public keycertificate has also been explained in FIG. 14, so detailed descriptionthereof is omitted.

[0461] On receiving the A's public key certificate, Ra, Rb, Av, andelectronic signature A. Sig, the B verifies that the Rb transmitted bythe A matches that generated by the B. If they are determined to match,the B verifies the electronic signature in the A's public keycertificate using the public key of the certificate authority, and takesout the A's public key. The verification of the public key certificatehas been explained with reference to FIG. 14, so detailed descriptionthereof is omitted. The B then uses the A's public key obtained toverify the electronic signature A. Sig. The method for verifying theelectronic signature has been explained in FIG. 12, so detaileddescription thereof is omitted. Once the electronic signature has beensuccessfully verified, the B authenticates the A.

[0462] Next, the B generates a new random number Bk smaller than thecharacteristic p. It then multiplies the base point G by Bk to determinea point Bv=Bk×G, generates an electronic signature B. Sig for the Rb,Ra, and Bv (X and Y coordinates), and returns these data to the Atogether with the B's public key certificate.

[0463] On receiving the B's public key certificate, Rb, Ra, Av, andelectronic signature B. Sig, the A verifies that the Ra transmitted bythe B matches that generated by the A. If they are determined to match,the A verifies the electronic signature in the B's public keycertificate using the public key of the certificate authority, and takesout the B's public key. The A then uses the B's public key obtained toverify the electronic signature B. Sig. Once the electronic signaturehas been successfully verified, the A authenticates the B.

[0464] If both the A and B have successfully authenticated each other,the B calculates-Bk×Av (since the Bk is a random number but the Av is apoint on the elliptic curve, the point on the elliptic curve must besubjected to scalar multiplication), and the A calculates Ak×Bv so thatlower 64 bits of each of the X coordinates of these points are used asthe session key for subsequent communication (if the common keycryptography uses a 64-bit key length). Of course, the session key maybe generated from the Y coordinates, or the lower 64 bits may not beused. In secret communication after the mutual authentication, not onlytransmitted data are encrypted with the session key but an electronicsignature may be added thereto.

[0465] If illegality or inequality is found during the verification ofthe electronic signature or received data, the mutual authentication isconsidered to have failed and the process is aborted.

[0466] (3-7) Encryption Process Using Elliptic Curve Cryptography

[0467] Next, encryption using elliptic curve cryptography will beexplained with reference to FIG. 16. At step s21, the followingdefinitions are set: reference symbols Mx and My denote messages,reference symbol p denotes a characteristic, reference symbols a and bdenote elliptic curve coefficients (elliptic curve: y²=x²+ax+b),reference symbol G denotes a base point on the elliptic curve, referencesymbol r denotes the digit of G, and reference symbols G and Ks×G denotepublic keys (0<Ks<r). At step S22, the random number u is generated sothat 0<u<r. At step S23, coordinates V are calculated by multiplying thepublic key Ks×G by the u. The scalar multiplication on the ellipticcurve has been explained at step S4 in FIG. 11, and description thereofis thus omitted. At step S24, the X coordinate of the V is multiplied bythe Mx and then divided by the p to determine a remainder X0. At stepS25, the Y coordinate of the V is multiplied by the My and then dividedby the p to determine a remainder Y0. If the length of the message issmaller than the number of the bits, the My comprises a random number,and the decryption section discards it. At step S26, u×G is calculatedand at step S27, an encrypted text u×G, (X0, Y0) is obtained.

[0468] (3-8) Decryption Process Using Elliptic Curve Cryptography

[0469] Next, decryption using the elliptic curve cryptograhy will bedescribed with reference to FIG. 17. At step S31, the followingdefinitions are set: reference symbols u×G and (X0, Y0) denote encryptedtext data, reference symbol p denotes a characteristic, referencesymbols a and b denote elliptic curve coefficients (elliptic curve:y²=x³+ax+b), reference symbol G denotes a base point on the ellipticcurve, reference symbol r denotes the digit of G, and reference symbolKs denotes a secret key (0<Ks<r). At step S32, the encrypted data u×Gare multiplied by a value corresponding to the secret key Ks todetermine coordinates V (Xv, Yv). At step S33, the X coordinate of (X0,Y0) is taken out from the encrypted data and X1=X0/Xv mod p iscalculated. At step S34, the Y coordinate is taken out and Y1=Y0/Yv modp is calculated. At step S35, X1 is determined to be Mx and Y1 isdetermined to be My to obtain a message. At this point, if the My is notused for the message, Y1 is discarded.

[0470] In this manner, when the secret key is Ks, the public key is G,and Ks×G is calculated, the key used for encryption and the key used fordecryption may be different.

[0471] Another known example of the public key cryptography is the RSA,but detailed description thereof is omitted (details thereof aredescribed in PKCS #1 Version 2).

[0472] (3-9) Random Number Generating Process

[0473] Next, a method for generating a random number will be explained.Known random-number generating methods include an intrinsicrandom-number generating method that amplifies thermal noise to generatea random number from the resulting A/D output and a pseudo random-numbergenerating method that combines together a plurality of linear circuitssuch as M sequences. A method is also known which uses common keycryptography such as the DES. In this example, the pseudo random-numbergenerating method using the DES will be described (ANSI X9.17 base).

[0474] First, the value of 64 bits (for a smaller number of bits, higherbits are set to 0) obtained from data such as time is defined as D, keyinformation used for the Triple-DES is defined as Kr, and a seed forgenerating a random number is defined as S. Then, the random number R iscalculated as follows:

I=Triple−DES(Kr, D)  (2-1)

I=Triple−DES(Kr, S ^(φ) I)  (2-2)

I=Triple−DES(Kr, R ^(φ) I)  (2-3)

[0475] In this case, Triple-DES( ) is a function that uses a firstargument as cryptography key information and that encrypts the value ofa second argument based on the Triple-DES. The operation ¹⁰⁰ is anexclusive OR executed every 64 bits. The last value S is updated as anew seed.

[0476] If random numbers are continuously generated, Equations (2-2) and(2-3) are repeated.

[0477] The aspects of various cryptography processes applicable to thedata processing apparatus according to the present invention have beendescribed. Next, specific processes executed in the present dataprocessing apparatus will be described in detail.

[0478] (4) Configuration of Data Stored in Recording and ReproducingDevice

[0479]FIG. 18 is a view useful in explaining the contents of data heldin the internal memory 307 configured in the recording and reproducingdevice cryptography process section 302 of the recording and reproducingdevice 300 shown in FIG. 3.

[0480] As shown in FIG. 18, the internal memory 307 stores the followingkeys and data:

[0481] MKake: recording device authenticating master key for generatingan authentication and key exchange key (hereafter referred to as “Kake”)required for a mutual authentication process executed between therecording and reproducing device 300 and recording device 400 (see FIG.3).

[0482] IVake: initial value for the recording device authenticating key.

[0483] MKdis: master key for a distribution key for generating adistribution key Kdis.

[0484] IVdis: distribution-key-generating initial value.

[0485] Kicva: integrity-check-value-A-generating key for generating theintegrity check value ICVa.

[0486] Kicvb: integrity-check-value-B-generating key for generating theintegrity check value ICVb.

[0487] Kicvc: content-integrity-check-value-generating key forgenerating the integrity check value ICVi (i=1 to N) for each contentblock.

[0488] Kicvt: total-integrity check value-generating key for generatingthe total integrity check value ICVt.

[0489] Ksys: system signature key used to add a common signature or ICVto a distribution system.

[0490] Kdev: recording and reproducing device signature key that variesdepending on recording and reproducing device and that is used by therecording and reproducing device to add a signature or ICV.

[0491] IVmem: initial value that is used for a cryptography process formutual authentication, or the like. This is shared by the recordingdevice.

[0492] These keys and data are stored in the internal memory 307configured in the recording and reproducing device cryptography processsection 302.

[0493] (5) Configuration of Data Stored in Recording Device

[0494]FIG. 19 is a view showing how data are held on the recordingdevice. In this figure, the internal memory 405 is divided into aplurality of (in this example, N) blocks each storing the following keysand data:

[0495] IDmen: recording device identification information that is uniqueto the recording device.

[0496] Kake: authentication key that is used for mutual authenticationwith the recording and reproducing device 300.

[0497] IVmem: initial value that is used for a cryptography process formutual authentication, or the like.

[0498] Kstr: storage key that is a cryptography key for the blockinformation table and other content data.

[0499] Kr: random number generating key.

[0500] S: seed.

[0501] These data are each held in the corresponding block. An externalmemory 402 holds a plurality of (in this example, M) content data; itholds the data described in FIG. 4 as shown, for example, in FIG. 26 or27. The difference in configuration between FIGS. 26 and 27 will bedescribed later.

[0502] (6) Mutual Authentication Process Between Recording andReproducing Device and Recording Device

[0503] (6-1) Outline of Mutual Authentication Process

[0504]FIG. 20 is a flow chart showing a procedure for an authenticationbetween the recording and reproducing device 300 and the recordingdevice 400. At step S41, the user inserted the recording device 400 intothe recording and reproducing device 300. If, however, the recordingdevice 400 is capable of communication in a non-contact manner, it neednot be inserted thereinto.

[0505] When the recording device 400 is set in the recording andreproducing device 300, a recording device detecting means (not shown)in the recording and reproducing device 300 shown in FIG. 3 notifies thecontrol section 301 that the recording device 400 has been installed.Then at step S42, the control section 301 of the recording andreproducing device 300 transmits an initialization command to therecording device 400 via the recording device controller 303. Onreceiving the command, the recording device 400 causes the controlsection 403 of the recording device cryptography process section 401 toreceive the command via the communication section 404 and clear anauthentication completion flag if it has been set. That is,unauthenticated state is set.

[0506] Then at step S43, the control section 301 of the recording andreproducing device 300 transmits an initialization command to therecording and reproducing device cryptography process section 302. Atthis point, it also transmits a recording device insertion port number.When the recording device insertion port number is transmitted, even ifa plurality of recording devices 400 are connected to the recording andreproducing device 300, the recording and reproducing device 300 cansimultaneously execute authentication with these recording devices 400and transmit and receive data thereto and therefrom.

[0507] On receiving the initialization command, the recording andreproducing device cryptography process section 302 of the recording andreproducing device 300 causes the control section 306 thereof to clearthe authentication complete flag corresponding to the recording deviceinsertion port number if it has been set. That is, the unauthenticatedstate is set.

[0508] Then at step S44, the control section 301 of the recording andreproducing device 300 specifies a key block number used by therecording device cryptography process section 401 of the recordingdevice 400. Details of the key block number will be described later. Atstep S45, the control section 301 of the recording and reproducingdevice 300 reads out the recording device identification informationIDmem stored in the specified key block in the internal memory 405 ofthe recording device 400. At step S46, the control section 301 of therecording and reproducing device 300 transmits the recording deviceidentification information IDmem to the recording and reproducing devicecryptography process section 302 to generate the authentication key Kakebased on the recording device identification information IDmem. Theauthentication key Kake is generated, for example, as follows:

Kake=DES(MKake, IDmem ^(φ) IVake)  (3)

[0509] In this case, the MKake denotes the master key for the recordingdevice authentication key used to generate the authentication key Kakerequired for the mutual authentication process executed between therecording and reproducing device 300 and the recording device 400 (seeFIG. 3), the master key being stored in the internal memory 307 of therecording and reproducing device 300 as described above. Additionally,the IDmem denotes the recording device identification information uniqueto the recording device 400. Furthermore, the IVake denotes the initialkey for the recording device authentication key. In addition, in theabove equation, the DES( ) denotes a function that uses a first argumentas cryptography key and that encrypts the value of a second argumentbased on the DES. The operation ^(φ) denotes an exclusive OR executedevery 64 bits.

[0510] If, for example, the DES configuration shown in FIG. 7 or 8 isapplied, the message M shown in FIGS. 7 and 8 corresponds to therecording device identification information: IDmem, the key K1corresponds to the master key for the device authentication key: MKake,the initial value IV corresponds to the value: IVake, and the outputobtained is the authentication key Kake.

[0511] Then at step S47, the mutual authentication process and theprocess for generating the session key Kses are carried out. The mutualauthentication is executed between the encryption/decryption section 308of the recording and reproducing device cryptography process section 302and the encryption/decryption section 406 of the recording devicecryptography process section 401; the control section 301 of therecording and reproducing device 300 mediates therebetween.

[0512] The mutual authentication process can be executed as previouslydescribed in FIG. 13. In the configuration shown in FIG. 13, the A and Bcorrespond to the recording and reproducing device 300 and the recordingdevice 400, respectively. First, the recording and reproducing devicecryptography process section 302 of the recording and reproducing device300 generates the random number Rb and transmits the Rb and therecording and reproducing device identification information IDdev, whichis its own ID, to the recording device cryptography process section 401of the recording device 400. The recording and reproducing deviceidentification information IDdev is an identifier unique to areproducing device stored in a memory section configured in therecording and reproducing device 300. The recording and reproducingdevice identification information IDdev may be recorded in the internalmemory of the recording and reproducing device cryptography processsection 302.

[0513] On receiving the radom number Rb and the recording andreproducing device identification information IDdev, the recordingdevice cryptography process section 401 of the recording device 400generates a new 64-bit random number Ra, encrypts the data in the DESCBC mode in the order of the Ra, Rb, and recording and reproducingdevice identification information IDdev using the authentication keyKake, and returns them to the recording and reproducing devicecryptography process section 302 of the recording and reproducing device300. For example, according to the DES CBC mode process configurationshown in FIG. 7, the Ra, Rb, and IDdev correspond to the M1, M2, and M3,respectively, and when the initial value : IV=IVmem, the outputs E1, E2,and E3 are encrypted texts.

[0514] On receiving the encrypted texts E1, E2, and E3, the recordingand reproducing device cryptography process section 302 of the recordingand reproducing device 300 decrypts the received data with theauthentication key Kake. To decrypt the received data, the encryptedtext E1 is first decrypted with the key Kake and the result and theIVmem are exclusive-ORed to obtain the random number Ra. Then, theencrypted text E2 is decrypted with the key Kake, and the result and theE1 are exclusive-ORed to obtain the Rb. Finally, the encrypted text E3is decrypted with the key Kake, and the result and the E2 areexclusive-ORed to obtain the recording and reproducing deviceidentification information IDdev. Of the Ra, Rb, and recording andreproducing device identification information IDdev thus obtained, theRb and recording and reproducing device identification information IDdevare checked for equality to those transmitted by the recording andreproducing device 300. If they are successfully verified, the recordingand reproducing device cryptography process section 302 of the recordingand reproducing device 300 authenticates the recording device 400.

[0515] Then, the recording and reproducing device cryptography processsection 302 of the recording and reproducing device 300 generates asession key (hereafter referred to as “Kses”) used after theauthentication (this is generated using a random number). The Rb, Ra,and Kses are encrypted in the DES CBC mode in this order using the keyKake and the initial value IVmem and then returned to the recordingdevice cryptography process section 401 of the recording device 400.

[0516] On receiving the data, the recording device cryptography processsection 401 of the recording device 400 decrypts the received data withthe key Kake. The method for decrypting the received data is similar tothat executed by the recording and reproducing device cryptographyprocess section 302 of the recording and reproducing device 300, sodetailed description thereof is omitted. Of the Ra, Rb, and Kses thusobtained, the Rb and Ra are checked for equality to those transmitted bythe recording device 400. If they are successfully verified, therecording device cryptography process section 401 of the recordingdevice 400 authenticates the recording and reproducing device 300. Afterthese devices have authenticated each other, the session key Kses isused as a common key for secret communication after the authentication.

[0517] If illegality or inequality is found during the verification ofthe received data, the mutual authentication is considered to havefailed and the process is aborted.

[0518] If the mutual authentication has been successful, the processproceeds from step S48 to step S49 where the recording and reproducingdevice cryptography process section 302 of the recording and reproducingdevice 300 holds the session key Kses and where the authenticationcomplete flag is set, indicating that the mutual authentication has beencompleted. Additionally, if the mutual authentication has failed, theprocess proceeds to step S50, the session key Kses is discarded and theauthentication complete flag is cleared. If the flag has already beencleared, the clearing process is not necessarily required. If therecording device 400 is removed from the recording device insertionport, the recording device detecting means in the recording andreproducing device 300 notifies the control section 301 of the recordingand reproducing device 300 that the recording device 400 has beenremoved. In response to this, the control section 301 of the recordingand reproducing device 300 commands the recording and reproducing devicecryptography process section 302 of the recording and reproducing device300 to clear the authentication complete flag corresponding to therecording device insertion port number. In response to this, therecording and reproducing device cryptography process section 302 of therecording and reproducing device 300 clears the authentication completeflag corresponding to the recording device insertion port number.

[0519] The example has been described where the mutual authenticationprocess is executed in accordance with the procedure shown in FIG. 13,but the present invention is not limited to the above described exampleof authentication process but the process may be executed, for example,in accordance with the above described mutual authentication procedurein FIG. 15. Alternatively, in the procedure shown in FIG. 13, the A inFIG. 13 may be set as the recording and reproducing device 300, the Bmay be set as the recording device 400, and the ID that the B: recordingdevice 400 first delivers to the A: recording and reproducing device 300may be set as the recording device identification information in the keyblock in the recording device. various processes are applicable to theauthentication process procedure executed in the present invention, andthe present invention is not limited to the above describedauthentication process.

[0520] (6-2) Switching Key Block During Mutual Authentication

[0521] The mutual authentication process in the data processingapparatus according to the present invention is partly characterized inthat the authentication process is executed by configuring a pluralityof (for example, N) key blocks on the recording device 400 side andallowing the recording and reproducing device 300 to specify one of them(step S44 in the process flow in FIG. 20). As previously described inFIG. 19, the internal memory 405 configured in the cryptography processsection 401 of the recording device 400 has a plurality of key blocksformed therein which store various different data such as key data andID information. The mutual authentication process executed between therecording and reproducing device 300 and the recording device 400 asdescribed in FIG. 20 is carried out on one of the plurality of keyblocks of the recording device 400 in FIG. 19.

[0522] Conventional configurations for executing a mutual authenticationprocess between a recording medium and a reproducing device thereforgenerally use a common authentication key for the mutual authentication.Thus, when the authentication key is to be changed for each productdestination (country) or each product, key data required forauthentication processes for the recording and reproducing device sideand the recording device side must be changed on both devices.Accordingly, key data required for an authentication process stored in anewly sold recording and reproducing device do not correspond to keydata required for an authentication process stored in a previously soldrecording and reproducing device, so the new recording and reproducingdevice cannot access an old version of recording device. On contrary, asimilar situation occurs in the relationship between a new version ofrecording device and the old version of recording and reproducingdevice.

[0523] In the data processing apparatus according to the presentinvention, key blocks are stored in the recording device 400 as aplurality of different key sets as shown in FIG. 19. The recording andreproducing device has a key block to be applied to the authenticationprocess, that is, a specified key block set, for example, for eachproduct destination (country), product, device type, version, orapplication. This set information is stored in the memory section of therecording and reproducing device, for example, the internal memory 307in FIG. 3 or other storage elements of the recording and reproducingdevice 300, and is accessed by the control section 301 in FIG. 3 duringthe authentication process to specify a key block in accordancetherewith.

[0524] The master key Mkake for the recording device authentication keyin the internal memory 307 of the recording and reproducing device 300is set in accordance with settings for a specified key block and cancorrespond only to that specified key block; it does not establishmutual authentication with any key blocks other than the specified one.

[0525] As is seen in FIG. 19, the internal memory 405 of the recordingdevice 400 has N key blocks (1 to N) set which each store recordingdevice identification information, an authentication key, an initialvalue, a storage key, a random-number generating key, and a seed; eachkey block stores at least authenticating key data as data varyingdepending on the block.

[0526] In this manner, the key data configuration of the key block inthe recording device 400 varies depending on the block. Thus, forexample, a key block with which a certain recording and reproducingdevice A can execute the authentication process using the master keyMKake for the recording device authentication key stored in the internalmemory can be set as a key block No. 1, and a key block with which arecording and reproducing device B with a different specification canexecute the authentication process can be set as another key block, forexample, a key block No. 2.

[0527] Although described later in detail, when a content is stored inthe external memory 402 of the recording device 400, the storage keyKstr stored in each key block is used to encrypt and store the content.More specifically, the storage key is used to encrypt a content key forencrypting a content block.

[0528] As shown in FIG. 19, the storage key is configured as a key thatvaries depending on the block. Thus, a content stored in a memory of arecording device is prevented from being shared by two differentrecording and reproducing devices set to specify different key blocks.That is, differently set recording and reproducing devices can each useonly the contents stored in a recording device that is compatible withits settings.

[0529] Data that can be made common to each key block can be made so,while, for example, only the authenticating key data and the storage keydata may vary depending on the key block.

[0530] In a specific example where key blocks comprising a plurality ofdifferent key data are configured in the recording device, for example,different key block numbers to be specified are set for different typesof recording and reproducing device 300 (an installed type, a portabletype, and the like), or different specified key blocks are set fordifferent applications. Furthermore, different key blocks may be set fordifferent territories; for example, the key block No. 1 is specified forrecording and reproducing devices sold in Japan, and the key block No. 2is specified for recording and reproducing devices sold in the U.S. Withsuch a configuration, a content that is used in different territoriesand that is stored in each recording device with a different storage keycannot be used in a recording and reproducing device with different keysettings even if a recording device such as a memory card is transferredfrom the U.S. to Japan or vice versa, thereby preventing the illegal ordisorderly distribution of the content stored in the memory.Specifically, this serves to exclude a state where a content key Kconencrypted with different storage keys Kstr can be mutually used in twodifferent countries.

[0531] Moreover, at least one of the key blocks 1 to N in the internalmemory 405 of the recording device 400 shown in FIG. 19, for example,the No. N key block may be shared by any recording and reproducingdevice 300.

[0532] For example, when the key block No. N and the master key MKakefor the recording device authentication key, which is capable ofauthentication, are stored in all apparatuses, contents can bedistributed irrespective of the type of the recording and reproducingdevice 300, the type of the application, or the destined country. Forexample, an encrypted content stored in a memory card with the storagekey stored in the key block No. N can be used in any apparatuses. Forexample, music data or the like can be decrypted and reproduced from amemory card by encrypting the data with the storage key in a shared keyblock, storing them in the memory card, and setting the memory card in,for example, a portable sound reproducing device storing the master keyMKake for the recording device authentication key, which is also shared.

[0533]FIG. 21 shows an example of the usage of the recording device ofthe present data processing apparatus, which has a plurality of keyblocks. A recording and reproducing device 2101 is a product sold inJapan and has a master key that establishes an authentication processwith the key blocks No. 1 and No. 4 in the recording device. A recordingand reproducing device 2102 is a product sold in the U.S. and has amaster key that establishes an authentication process with the keyblocks No. 2 and No. 4 in the recording device. A recording andreproducing device 2103 is a product sold in the EU and has a master keythat establishes an authentication process with the key blocks No. 3 andNo. 4 in the recording device.

[0534] For example, the recording and reproducing device 2101establishes authentication with the key block 1 or 4 in the recordingdevice A 2104 to store, in the external memory, contents encrypted viathe storage key stored in that key block. The recording and reproducingdevice 2102 establishes authentication with the key block 2 or 4 in therecording device B 2105 to store, in the external memory, contentsencrypted via the storage key stored in that key block. The recordingand reproducing device 2103 establishes authentication with the keyblock 3 or 4 in the recording device C 2106 to store, in the externalmemory, contents encrypted via the storage key stored in that key block.Then, if the recording device A 2104 is installed in the recording andreproducing device 2102 or 2103, a content encrypted with the storagekey in the key block 1 is unavailable because authentication is notestablished between the recording and reproducing device 2102 or 2103and the key block 1. On the other hand, a content encrypted with thestorage key in the key block 4 is available because authentication isestablished between the recording and reproducing device 2102 or 2103and the key block 4.

[0535] As described above, in the data processing apparatus according tothe present invention, the key blocks comprising the plurality ofdifferent key sets are configured in the recording device, while therecording and reproducing device stores the master key enablingauthentication for a particular key block, thereby enabling the settingof restrictions on the use of contents depending on different use form.

[0536] Moreover, a plurality of key blocks, for example, 1 to k may bespecified in one recording and reproducing device, while a plurality ofkey blocks p and q may be specified in the other recording andreproducing devices. Additionally, a plurality of sharable key blocksmay be provided.

[0537] (7) Process for Downloading from Recording and Reproducing Deviceto Recording Device

[0538] Next, a process for downloading a content from the recording andreproducing device 300 to the external memory of the recording device400 in the present data processing apparatus will be explained.

[0539]FIG. 22 is a flow chart useful in explaining a procedure fordownloading a content from the recording and reproducing device 300 tothe recording device 400. In this figure, the above described mutualauthentication process is assumed to have been completed between therecording and reproducing device 300 and the recording device 400.

[0540] At step S51, the control section 301 of the recording andreproducing device 300 uses the read section 304 to read data of apredetermined format out from the medium 500 storing contents or usesthe communication section 305 to receive data from the communicationmeans 600 in accordance with a predetermined format. Then, the controlsection 301 of the recording and reproducing device 300 transmits theheader section (see FIG. 4) of the data to the recording and reproducingdevice cryptography process section 302 of the recording and reproducingdevice 300.

[0541] Next, at step S52, the control section 306 of the recording andreproducing device cryptography process section 302, which has receivedthe header at step S51, causes the encryption/decryption section 308 ofthe recording and reproducing device cryptography process section 302 tocalculate the integrity check value A. The integrity check value A iscalculated in accordance with the ICV calculation method described inFIG. 7, using as a key the integrity-check-value-A-generating key Kicvastored in the internal memory 307 of the recording and reproducingdevice cryptography process section 302 and using the content ID and theusage policy as a message, as shown in FIG. 23. The initial value may beIV=0 or may be the integrity-check-value-A-generating initial value IVamay be used which is stored in the internal memory 307 of the recordingand reproducing device cryptography process section 302. Finally, theintegrity check value A and the check value: ICVa stored in the headerare compared together, and if they are equal, the process proceeds tostep S53.

[0542] As previously described in FIG. 4, the check value A, ICVa isused to verify that the content ID and the usage policy have not beentampered. If the integrity check value A calculated in accordance withthe ICV calculation method described in FIG. 7, using as a key theintegrity-check-value-A-generating key Kicva stored in the internalmemory 307 of the recording and reproducing device cryptography processsection 302 and using the content ID and the usage policy as a message,equals the check value: ICVa stored in the header, it is determined thatthe content ID and the usage policy have not been tampered.

[0543] Next, at step S53, the control section 306 of the recording andreproducing device cryptography process section 302 causes theencryption/decryption section 308 of the recording and reproducingdevice cryptography process section 302 to generate the distribution keyKdis. The distribution key Kdis is generated, for example, as follows:

Kdis=DES(MKdis, ContentID ^(φ) IVdis)  (4)

[0544] In this case, the MKdis denotes the master key for thedistribution key for generating the distribution key Kdis, the masterkey being stored in the internal memory of the recording and reproducingdevice 300 as described above. In addition, the content ID isidentification information for the header section of content data, andthe IVdis denotes the initial value for the distribution key.Additionally, in the above equation, the DES( ) denotes a function thatuses a first argument as cryptography key and that encrypts the value ofa second argument. The operation ^(φ) denotes an exclusive OR executedevery 64 bits.

[0545] At step S54, the control section 306 of the recording andreproducing device cryptography process section 302 uses theencryption/decryption section 308 of the recording and reproducingdevice cryptography process section 302 as well as the distribution keyKdis generated at step S53, to decrypt the block information table keyKbit and content key Knon (see FIG. 4) stored in the header section ofthe data obtained from the medium 500 via the read section 304 orreceived from the communication means 600 via the communication section305. As shown in FIG. 4, the block information table key Kbit and thecontent key Knon are encrypted beforehand with the distribution key Kdison the medium such as a DVD or CD or on a communication path such as theInternet.

[0546] Further, at step S55, the control section 306 of the recordingand reproducing device cryptography process section 302 uses theencryption/decryption section 308 of the recording and reproducingdevice cryptography process section 302 to decrypt the block informationtable (BIT) with the block information table key Kbit decrypted at stepS54. The block information table (BIT) as shown in FIG. 4 is encryptedbeforehand with the block information table key Kbit on the medium suchas the DVD or CD or the communication path such as the Internet.

[0547] Further, at step S56, the control section 306 of the recordingand reproducing device cryptography process section 302 divides theblock information table key Kbit, the content key Kcon, and the blockinformation table (BIT) into 8-byte pieces, which are all exclusive-ORed(any operation such as an addition or subtraction may be used). Next,the control section 306 of the recording and reproducing devicecryptography process section 302 causes the encryption/decryptionsection 308 of the recording and reproducing device cryptography processsection 302 to calculate the integrity check value B (ICVb). Theintegrity check value B is generated by using as a key theintegrity-check-value-B-generating key Kicvb stored in the internalmemory 307 of the recording and reproducing device cryptography processsection 302, to decrypt the previously calculated exclusive-ORed valuebased on the DES, as shown in FIG. 24. Finally, the integrity checkvalue B and the ICVb in the header are compared together, and if theyare equal, the process proceeds to step S57.

[0548] As previously described in FIG. 4, the check value B, ICVb isused to verify that the block information table key Kbit, the contentkey Kcon, and the block information table (BIT) have not been tampered.If the integrity check value B generated by using as a key theintegrity-check-value-B-generating key Kicvb stored in the internalmemory 307 of the recording and reproducing device cryptography processsection 302, dividing the block information table key Kbit, the contentkey Kcon, and the block information table (BIT) into 8-byte pieces,exclusive-Oring these data, and encrypting the exclusive-ORed data basedon the DES, equals the check value: ICVb stored in the header, it isdetermined that the block information table key Kbit, the content keyKcon, and the block information table have not been tampered.

[0549] At step S57, the control section 306 of the recording andreproducing device cryptography process section 302 causes theencryption/decryption section 308 of the recording and reproducingdevice cryptography process section 302 to calculate an intermediateintegrity check value. The intermediate value is calculated inaccordance with the ICV calculation method described in FIG. 7, using asa key the total-integrity-check-value generating key Kicvt stored in theinternal memory 307 of the recording and reproducing device cryptographyprocess section 302 and using the integrity check values A and B and allthe held content integrity check values as a message. The initial valuemay be IV=0 or the total-integrity-check-value-generating initial valueIVt may be used which is stored in the internal memory 307 of therecording and reproducing device cryptography process section 302.Additionally, the intermediate integrity check value generated is storedin the recording and reproducing device cryptography process section 302of the recording and reproducing device 300 as required.

[0550] This intermediate integrity check value is generated using theintegrity check values A and B and all the content integrity checkvalues as a message, and data verified by each of these integrity checkvalues may be verified by collating them with the intermediate integritycheck value. In this embodiment, however, a plurality of differentintegrity check values, that is, total integrity check values ICVt andthe check value ICVdev unique to the recording and reproducing device300 can be separately generated based on the intermediate integritycheck value so that the process for verifying the absence of tamperwhich process is executed for shared data for the entire system and theverification process for identifying occupied data occupied only by eachrecording and reproducing device 300 after the download process can bedistinguishably executed. These integrity check values will be describedlater.

[0551] The control section 306 of the recording and reproducing devicecryptography process section 302 causes the encryption/decryptionsection 308 of the recording and reproducing device cryptography processsection 302 to calculate the total integrity check value ICVt. The totalintegrity check value ICVt is generated by using as a key a systemsignature key Ksys stored in the internal memory 307 of the recordingand reproducing device cryptography process section 302, to decrypt theintermediate integrity check value based on the DES. Finally, the totalintegrity check value ICVt generated and the ICVt in the header storedat step 551 are compared together, and if they are equal, the processproceeds to step S58. The system signature key Ksys is common to aplurality of recording and reproducing devices, that is, the entiresystem executing the process of recording and reproducing certain data.

[0552] As previously described in FIG. 4, the total integrity checkvalue ICVt is used to verify that all of the integrity check values ICVaand ICVb and the integrity check value for each content block have notbeen tampered. Thus, if the total integrity check value generated bymeans of the above described process equals the integrity check value:ICVt, stored in the Header it is determined that all of the integritycheck values ICVa and ICVb and the integrity check value for eachcontent block have not been tampered.

[0553] Then at step S58, the control section 301 of the recording andreproducing device 300 takes content block information out from theblock information table (BIT) and checks whether any content block is tobe verified. If any content block is to be verified, the contentintegrity check value has been stored in the block information in theheader.

[0554] If any content block is to be verified, the control section 301reads this content block out from the medium 500 by using the readsection 304 of the recording and reproducing device 300 or received fromcommunicating means 600 by using the communication section 305 of therecording and reproducing device 300, and transmits the content block tothe recording and reproducing device cryptography process section 302 ofthe recording and reproducing device 300. On receiving the contentblock, the control section 306 of the recording and reproducing devicecryptography process section 302 causes the encryption/decryptionsection 308 of the recording and reproducing device cryptography processsection 302 to calculate the content intermediate value.

[0555] The content intermediate value is generated by using the contentkey Kcon decrypted at step S54 to decrypt an input content block in theDES CBC mode, separating the resulting data into 8 byte pieces, andexclusive-ORing all these pieces (any operation such as an addition orsubtraction may be used).

[0556] Then, the control section 306 of the recording and reproducingdevice cryptography process section 302 causes the encryption/decryptionsection 308 of the recording and reproducing device cryptography processsection 302 to calculate the content integrity check value. The contentintegrity check value is generated by using as a key thecontent-integrity-check-value-generating key Kicvc stored in theinternal memory 307 of the recording and reproducing device cryptographyprocess section 302, to decrypt the content intermediate value based onthe DES. Then, the control section 306 of the recording and reproducingdevice cryptography process section 302 compares this content integritycheck value with the ICV in the content block received from the controlsection 301 of the recording and reproducing device 300 at step S51, andpasses the result to the control section 301 of the recording andreproducing device 300. On receiving the result and if the verificationhas been successful, the control section 301 of the recording andreproducing device 300 takes out the next content block to be verifiedand causes the recording and reproducing device cryptography processsection 302 of the recording and reproducing device 300 to verify thiscontent block. Similar verification processes are repeated until all thecontent blocks are verified. The initial value may be IV=0 or thecontent-integrity-check-value-generating initial value IVc may be usedwhich is stored in the internal memory 307 of the recording andreproducing device cryptography process section 302, if the headergenerating side uses the same settings. Additionally, all the checkedcontent integrity check values are held in the recording and reproducingdevice cryptography process section 302 of the recording and reproducingdevice 300. Furthermore, the recording and reproducing devicecryptography process section 302 of the recording and reproducing device300 monitors the order in which the content blocks are verified toconsider the authentication to have failed if the order is incorrect orif it is caused to verify the same content block twice or more. If allthe content blocks have been successfully verified, the process proceedsto step S59.

[0557] Then at step S59, the recording and reproducing devicecryptography process section 302 of the recording and reproducing device300 causes the encryption/decryption section 308 of the recording andreproducing device cryptography process section 302 to encrypt the blockinformation table key Kbit and content key Kcon decrypted at step S54,using the session key Kses made sharable during the mutualauthentication. The control section 301 of the recording and reproducingdevice 300 reads the block information table key Kbit and content keyKcon from the recording and reproducing device cryptography processsection 302 of the recording and reproducing device 300, the blockinformation table key Kbit and content key Kcon being decrypted usingthe session key Kses. The control section 301 then transmits these datato the recording device 400 via the recording device controller 303 ofthe recording and reproducing device 300.

[0558] Then at step S60, on receiving the block information table keyKbit and content key Kcon transmitted from the recording and reproducingdevice 300, the recording device 400 causes the encryption/decryptionsection 406 of the recording device cryptography process section 401 todecrypt the received data using the session key Kses made sharableduring the mutual authentication and to reencrypt the decrypted datawith the storage key Kstr unique to the recording device which is storedin the internal memory 405 of the recording device cryptography process401. Finally, the control section 301 of the recording and reproducingdevice 300 reads the block information key Kbit and the content key Kconout from the recording device 400 via the recording device controller303 of the recording and reproducing device 300, the block informationkey Kbit and the content key Kcon being reencrypted with the storage keyKstr. These are then substituted with the block information key Kbit andcontent key Kcon encrypted with the distribution key Kdis.

[0559] At step S61, the control section 301 of the recording andreproducing device 300 takes the localization field out from the usagepolicy in the header section of the data to determine whether thedownloaded content can be used only in this recording and reproducingdevice 300 (in this case, the localization field is set to 1) or also byother similar recording and reproducing devices 300 (in this case, thelocalization field is set to 0). If the result of the determinationshows that the localization field is set to 1, the process proceeds tostep S62.

[0560] At step S62, the control section 301 of the recording andreproducing device 300 causes the recording and reproducing devicecryptography process section 302 of the recording and reproducing device300 to calculate the integrity check value unique to the recording andreproducing device. The integrity check value unique to the recordingand reproducing device is generated by using as a key a recording andreproducing device signature key Kdev stored in the internal memory 307of the recording and reproducing device cryptography process section302, to decrypt the intermediate integrity check value based on the DES,the intermediate integrity check value being held at step S58. Thecalculated integrity check value ICVdev unique to the recording andreproducing device substitutes for the total integrity check value ICVt.

[0561] As previously described, the system signature key Ksys is used toadd a common signature or ICV to the distribution system, and therecording and reproducing device signature key Kdev varies depending onthe recording and reproducing device and is used by the recording andreproducing device to add a signature or ICV. That is, data signed withthe system signature key Ksys are successfully checked by a system(recording and reproducing device) having the same system signature key,that is, such data have the same total integrity check value ICVt so asto be sharable. If, however, data are signed with the recording andreproducing device signature key Kdev, since this signature key isunique to the recording and reproducing device, the data signed with therecording and reproducing device signature key Kdev, that is, the datastored in a recording device after the signing cannot be reproduced ifan attempt is made to reproduce them after this recording device hasbeen inserted in another recording and reproducing device; that is, anerror occurs due to the unequal integrity check values ICVdev unique tothe recording and reproducing device.

[0562] Thus, in the data processing apparatus according to the presentinvention, the setting of the localization field enables contents to bearbitrarily set so as to be shared throughout the entire system or usedonly by particular recording and reproducing devices.

[0563] At step S63, the control section 301 of the recording andreproducing device 300 stores the content in the external memory 402 ofthe recording device 400.

[0564]FIG. 26 is a view showing how the content is stored in therecording device if the localization field is set to 0. FIG. 27 is aview showing how the content is stored in the recording device if thelocalization field is set to 1. Only the difference between FIGS. 26 and4 is whether the content block information key Kbit and the content keyKcon are encrypted with the distribution key Kdis or the storage keyKstr. The different between FIGS. 27 and 26 is that the integrity checkvalue calculated from the intermediate integrity check value isencrypted with the system signature key Ksys in FIG. 26, whereas it isencrypted with the recording and reproducing device signature key Kdevunique to the recording and reproducing device in FIG. 27.

[0565] In the process flow in FIG. 22, if the verification of theintegrity check value A has failed at step S52, if the verification ofthe integrity check value B has failed at step S56, if the verificationof the total integrity check value ICVt has failed at step S57, or ifthe verification of the content block content integrity check value hasfailed at step S58, then the process proceeds to step S64 to provide apredetermined error display.

[0566] In addition, if the localization field is 0 at step S61, theprocess skips step S62 to advance to step S63.

[0567] (8) Process Executed by Recording and Reproducing Device toReproduce Information Stored in Recording Device

[0568] Next, a process executed by the recording and reproducing device300 to reproduce content information stored in the external memory 402of the recording device 400.

[0569]FIG. 28 is a flow chart useful in explaining a procedure executedby the recording and reproducing device 300 to read a content out fromthe recording device 400 and use it. In FIG. 28, the mutualauthentication is assumed to have been completed between the recordingand reproducing device 300 and the recording device 400.

[0570] At step S71, the control section 301 of the recording andreproducing device 300 uses the recording device controller 303 to readthe content out from the external memory 402 of the recording device400. The control section 301 of the recording and reproducing device 300then transmits the header section of the data to the recording andreproducing device cryptography process section 302 of the recording andreproducing device 300. Step S72 is similar to step S52 described in“(7) Process for Downloading from Recording and Reproducing Device toRecording Device”; at this step, the control section 306 of therecording and reproducing device cryptography process section 302, whichhas received the header, causes the encryption/decryption section 308 ofthe recording and reproducing device cryptography process section 302 tocalculate the integrity check value A. The integrity check value A iscalculated in accordance with an ICV calculation method similar to thatdescribed in FIG. 7, using as a key theintegrity-check-value-A-generating key Kicva stored in the internalmemory 307 of the recording and reproducing device cryptography processsection 302 and using the content ID and the usage policy as a message,as shown in the previously described FIG. 23.

[0571] As previously described, the check value A, ICVa is used toverify that the content ID and the usage policy have not been tampered.If the integrity check value A calculated in accordance with the ICVcalculation method described in FIG. 7, using as a key theintegrity-check-value-A-generating key Kicva stored in the internalmemory 307 of the recording and reproducing device cryptography processsection 302 and using the content ID and the usage policy as a message,equals the check value: ICVa stored in the header, it is determined thatthe content ID and usage policy stored in the recording device 400 havenot been tampered.

[0572] Then at step S73, the control section 301 of the recording andreproducing device 300 takes the block information table key Kbit andthe content key Kcon out from the read-out header section and thentransmits them to the recording device 400 via the recording devicecontroller 303 of the recording and reproducing device 300. On receivingthe block information table key Kbit and the content key Kcontransmitted from the recording and reproducing device 300, the recordingdevice 400 causes the encryption/decryption section 406 of the recordingdevice cryptography process section 401 to decrypt the received datawith the storage key Kstr unique to the recording device which is storedin the internal memory 405 of the recording device cryptography process401 and to then reencrypt the decrypted data using the session key Ksesmade sharable during the mutual authentication. Then, the controlsection 301 of the recording and reproducing device 300 reads the blockinformation key Kbit and the content key Kcon out from the recordingdevice 400 via the recording device controller 303 of the recording andreproducing device 300, the block information key Kbit and the contentkey Kcon being reencrypted with the session key Kses from the recordingdevice 400.

[0573] Then at step S74, the control section 301 of the recording andreproducing device 300 transmits the received block information key Kbitand content key Kcon to the recording and reproducing devicecryptography process section 302 of the recording and reproducing device300, the block information key Kbit and content key Kcon beingreencrypted with the session key Kses.

[0574] On receiving the block information key Kbit and content key Kconreencrypted with the session key Kses, the recording and reproducingdevice cryptography process section 302 of the recording and reproducingdevice 300 causes the encryption/decryption section 308 of the recordingand reproducing device cryptography process section 302 to decrypt theblock information key Kbit and content key Kcon encrypted with thesession key Kses, using the session key Kses made sharable during themutual authentication. The recording and reproducing device cryptographyprocess section 302 then causes the encryption/decryption section 308 todecrypt the block information table received at step S71, using thedecrypted block information table key Kbit.

[0575] The recording and reproducing device cryptography process section302 of the recording and reproducing device 300 substitutes thedecrypted block information table key Kbit, content key Kcon, and blockinformation table BIT with those received at step S71 for retention. Inaddition, the control section 301 of the recording and reproducingdevice 300 reads the decrypted block information table BIT out from therecording and reproducing device cryptography process section 302 of therecording and reproducing device 300.

[0576] At step S75 is similar to step S56 described in “(7) Process forDownloading from Recording and Reproducing Device to Recording Device”.The control section 306 of the recording and reproducing devicecryptography process section 302 divides the block information table keyKbit, content key Kcon, and block information table (BIT) read out fromthe recording device 400, into 8-byte pieces and then exclusive-ORs allof them. The control section 306 of the recording and reproducing devicecryptography process section 302 then causes the encryption/decryptionsection 308 of the recording and reproducing device cryptography processsection 302 to calculate the integrity check value B(ICVb). Theintegrity check value B is generated by using as a key theintegrity-check-value-B-generating key Kicvb stored in the internalmemory 307 of the recording and reproducing device cryptography processsection 302, to encrypt the previously calculated exclusive-ORed valuebased on the DES, as shown in the previously described FIG. 24. Finally,the check value B and the ICVb in the header are compared together, andif they are equal, the process proceeds to step S76.

[0577] As previously described, the check value B, ICVb is used toverify that the block information table key Kbit, the content key Kcon,and the block information table have not been tampered. If the integritycheck value B generated by using as a key theintegrity-check-value-B-generating key Kicvb stored in the internalmemory 307 of the recording and reproducing device cryptography processsection 302, dividing the block information table key Kbit, the contentkey Kcon, and the block information table (BIT) read from the recordingdevice 400 into 8-byte pieces, exclusive-Oring these data, andencrypting the exclusive-ORed data based on the DES, equals the checkvalue: ICVb stored in the header of the data read out from the recordingdevice 400, it is determined that the block information table key Kbit,the content key Kcon, and the block information table have not beentampered.

[0578] At step S76, the control section 306 of the recording andreproducing device cryptography process section 302 causes theencryption/decryption section 308 of the recording and reproducingdevice cryptography process section 302 to calculate the intermediateintegrity check value. The intermediate value is calculated inaccordance with the ICV calculation method described in FIG. 7 or thelike, using as a key the total-integrity-check-value-generating keyKicvt stored in the internal memory 307 of the recording and reproducingdevice cryptography process section 302 and using the integrity checkvalues A and B and all the held content integrity check values as amessage. The initial value may be IV=0 or thetotal-integrity-check-value-generating initial value IVt may be usedwhich is stored in the internal memory 307 of the recording andreproducing device cryptography process section 302. Additionally, theintermediate integrity check value generated is stored in the recordingand reproducing device cryptography process section 302 of the recordingand reproducing device 300 as required.

[0579] Then at step S77, the control section 301 of the recording andreproducing device 300 takes the localization field out from the usagepolicy contained in the header section of the data read out from theexternal memory 402 of the recording device 400, to determine whetherthe downloaded content can be used only in this recording andreproducing device 300 (in this case, the localization field is setto 1) or also by other similar recording and reproducing devices 300 (inthis case, the localization field is set to 0). If the result of thedetermination shows that the localization field is set to 1, that is, itis set such that the downloaded content can be used only in thisrecording and reproducing device 300, the process proceeds to step S80.If the localization is set to 0, that is, it is set such that thecontent can also be used by other similar recording and reproducingdevice 300, then the process proceeds to step S78. Step S77 may beprocessed by the cryptography process section 302.

[0580] At step S78, the total integrity check value ICVt is calculatedin the same manner as step S58 described in “(7) Process for Downloadingfrom Recording and Reproducing Device to Recording Device”. That is, thecontrol section 306 of the recording and reproducing device cryptographyprocess section 302 causes the encryption/decryption section 308 of therecording and reproducing device cryptography process section 302 tocalculate the total integrity check value ICyt. The total integritycheck value ICVt is generated by using as a key a system signature keyKsys stored in the internal memory 307 of the recording and reproducingdevice cryptography process section 302, to encrypt the intermediateintegrity check value based on the DES, as shown in the previouslydescribed FIG. 25.

[0581] The, the process proceeds to step S79 to compare the totalintegrity check value ICVt generated at step S78 with the ICVt in theheader stored at step S71. If the values are equal, the process proceedsto step S82.

[0582] As previously described, the total integrity check value ICVt isused to verify that the integrity check values ICVa and ICVb and all thecontent block integrity check values have not been tampered. Thus, ifthe total integrity check value generated by means of the abovedescribed process equals the integrity check value: ICVt stored in theheader, it is determined that the integrity check values ICVa and ICVband all the content block integrity check values have not been tamperedin the data stored in the recording device 400.

[0583] If the result of the determination at step S77 shows that thelocalization field is set such that the downloaded content can be usedonly in this recording and reproducing device 300, that is, it is set to1, the process proceeds to step S80.

[0584] At step S80, the control section 306 of the recording andreproducing device cryptography process section 302 causes theencryption/decryption section 308 of the recording and reproducingdevice cryptography process section 302 to calculate the integrity checkvalue ICVdev unique to the recording and reproducing device. Theintegrity check value ICVdev unique to the recording and reproducingdevice is generated, as shown in the previously described FIG. 25, byusing as a key a recording and reproducing device signature key Kdevunique to the recording and reproducing device stored in the internalmemory 307 of the recording and reproducing device cryptography processsection 302, to encrypt the intermediate integrity check value based onthe DES, the intermediate integrity check value being held at step S58.At step S81, the check value ICVdev unique to the recording andreproducing device calculated at step S80 is compared with the ICVdevstored at step S71, and if they are equal, the process proceeds to stepS82.

[0585] Thus, data signed with the same system signature key Ksys aresuccessfully checked by a system (recording and reproducing device)having the same system signature key, that is, such data have the sametotal integrity check value ICVt so as to be sharable. If, however, dataare signed with the recording and reproducing device signature key Kdev,since this signature key is unique to the recording and reproducingdevice, the data signed with the recording and reproducing devicesignature key Kdev, that is, the data stored in a recording device afterthe signing cannot be reproduced if an attempt is made to reproduce themafter this recording device has been inserted in another recording andreproducing device; that is, an error occurs due to a mismatch in theintegrity check value ICVdev unique to the recording and reproducingdevice. Accordingly, the setting of the localization field enablescontents to be arbitrarily set so as to be shared throughout the entiresystem or used only by particular recording and reproducing devices.

[0586] At step S82, the control section 301 of the recording andreproducing device 300 takes content block information out from theblock information table (BIT) read out at step S74 and checks whetherany content block is to be encrypted. If any content block is to beencrypted, the control section 301 reads this content block out from theexternal memory 402 of the recording device 400 via the recording devicecontroller 303 of the recording and reproducing device 300 and thentransmits the content block to the recording and reproducing devicecryptography process section 302 of the recording and reproducing device300. On receiving the content block, the control section 306 of therecording and reproducing device cryptography process section 302 causesthe encryption/decryption section 308 of the recording and reproducingdevice cryptography process section 302 to decrypt the content, whilecausing the encryption/decryption section 308 to calculate the contentintegrity check value at step S83 if the content block is to beverified.

[0587] Step S83 is similar to step S58 described in “(7) Process forDownloading from Recording and Reproducing Device to Recording Device”.The control section 301 of the recording and reproducing device 300takes content block information out from the block information table(BIT) and determines from the stored content integrity check valuewhether any content block is to be verified. If any content block is tobe verified, the control section 301 receives this content block fromthe external memory 402 of the recording device 400 and transmits it tothe recording and reproducing device cryptography process section 302 ofthe recording and reproducing device 300. On receiving the contentblock, the control section 306 of the recording and reproducing devicecryptography process section 302 causes the encryption/decryptionsection 308 of the recording and reproducing device cryptography processsection 302 to calculate the content intermediate value.

[0588] The content intermediate value is generated by using the contentkey Kcon decrypted at step S74 to decrypt the input content block in theDES CBC mode, separating the resulting data into 8-byte pieces, andexclusive-ORing all these pieces. Then, the control section 306 of therecording and reproducing device cryptography process section 302 causesthe encryption/decryption section 308 of the recording and reproducingdevice cryptography process section 302 to calculate the contentintegrity check value. The content integrity check value is generated byusing as a key the content-integrity-check-value-generating key Kicvcstored in the internal memory 307 of the recording and reproducingdevice cryptography process section 302, to encrypt the contentintermediate value based on the DES. Then, the control section 306 ofthe recording and reproducing device cryptography process section 302compares this content integrity check value with the ICV in the contentblock received from the control section 301 of the recording andreproducing device 300 at step S71, and passes the result to the controlsection 301 of the recording and reproducing device 300. On receivingthe result and if the verification has been successful, the controlsection 301 of the recording and reproducing device 300 takes out thenext content block to be verified and causes the recording andreproducing device cryptography process section 302 of the recording andreproducing device 300 to verify this content block. Similarverification processes are repeated until all the content blocks areverified. The initial value may be IV=0 or thecontent-integrity-check-value-generating initial value IVc may be usedwhich is stored in the internal memory 307 of the recording andreproducing device cryptography process section 302. Additionally, allthe checked content integrity check values are held in the recording andreproducing device cryptography process section 302 of the recording andreproducing device 300. Furthermore, the recording and reproducingdevice cryptography process section 302 of the recording and reproducingdevice 300 monitors the order in which the content blocks are verifiedto consider the authentication to have failed if the order is incorrector if it is caused to verify the same content block twice or more.

[0589] The control section 301 of the recording and reproducing device300 receives the result of the comparison of the content integrity checkvalue (if no content block is to be verified, all the results ofcomparisons will be successful), and if the verification has beensuccessful, it takes the decrypted content from the recording andreproducing device cryptography process section 302 of the recording andreproducing device 300. It then takes out next content block to beverified and causes the recording and reproducing device cryptographyprocess section 302 of the recording and reproducing device 300 todecrypt this content block. Similar verification processes are repeateduntil all the content blocks are decrypted.

[0590] At step S83, if the recording and reproducing device cryptographyprocess section 302 of the recording and reproducing device 300determines after the verification process that the content integritycheck values are not equal, it considers the verification to have failedand avoids decrypting the remaining contents. In addition, the recordingand reproducing device cryptography process section 302 of the recordingand reproducing device 300 monitors the order in which the contentblocks are decrypted to consider the decryption to have failed if theorder is incorrect or if it is caused to decrypt the same content blocktwice or more.

[0591] If the verification of the integrity check value A has failed atstep S72, if the verification of the integrity check value B has failedat step S75, if the verification of the total integrity check value ICVthas failed at step S79, if the verification of the integrity check valueICVdev unique to the recording and reproducing device has failed at stepS81, or if the verification of the content block content integrity checkvalue has failed at step S81, then the process proceeds to step S84 toprovide a predetermined error display.

[0592] As described above, not only important data or content can beencrypted, concealed, or checked for tamper when the content isdownloaded or used, but even if data on a recording medium are simplycopied to another recording medium, the content can be prevented frombeing correctly decrypted because the block information table key Kbitfor decrypting the block information table BIT and the-content key Kconfor decrypting the content are stored with the storage key Kstr uniqueto the recording medium. More specifically, for example, at step S74 inFIG. 28, the another recording device cannot decrypt the data correctlybecause each recording device decrypts data encrypted with a differentstorage key Kstr.

[0593] (9) Key Exchanging Process after Mutual Authentication

[0594] The data processing apparatus according to the present inventionis partly characterized in that the recording device 400 can be usedonly after the above described mutual authentication process between therecording and reproducing device 300 and the recording device 400 and inthat the use form of the recording device is limited.

[0595] For example, to prevent a user from generating a recording devicesuch as a memory card in which a content is stored by means of illegalcopying or the like and setting this recording device in a recording andreproducing device for use, the mutual authentication process isexecuted between the recording and reproducing device 300 and therecording device 400 and (encrypted) contents can be transferred betweenthe recording and, reproducing device 300 and the recording device 400only if they have been mutually authenticated.

[0596] To achieve the above restrictive process, according to thepresent data processing apparatus, all the processes in the cryptographyprocess section 401 of the recording device 400 are executed based onpreset command strings. That is, the recording device has such a commandprocess configuration that it sequentially obtains commands from aregister based on command numbers. FIG. 29 is a view useful inexplaining the command process configuration of the recording device.

[0597] As shown in FIG. 29, between the recording and reproducing device300 having he recording and reproducing device cryptography processsection 302 and the recording device 400 having the recording devicecryptography process section 401, command numbers (No.) are output fromthe recording device controller 303 to the communication section(including a reception register) 404 of the recording device 400 underthe control of the control section 301 of the recording and reproducingdevice 300.

[0598] The recording device 400 has a command number managing section2201 (2901?) in the control section 403 in the cryptography processsection 401. The command number managing section 2901 holds a commandregister 2902 to store command strings corresponding to command numbersoutput from the recording and reproducing device 300. In the commandstrings, command numbers 0 to y are sequentially associated withexecution commands, as shown in the right of FIG. 29. The command numbermanaging section 2901 monitors command numbers output from the recordingand reproducing device 300 to take corresponding commands out from acommand register 2902 for execution.

[0599] In command sequences stored in the command register 2902, acommand string for an authentication process sequence is associated withthe leading command numbers 0 to k, as shown in the right of FIG. 29.Furthermore, command numbers p to s following the command string for theauthentication process sequence are associated with a decryption, keyexchange, and encryption process command sequence 1, and the followingcommand numbers u to y are associated with a decryption, key exchange,and encryption process command sequence 2.

[0600] As previously described for the authentication process flow inFIG. 20, when the recording device 400 is installed in the recording andreproducing device 300, the control section 301 of the recording andreproducing device 300 transmits an initialization command to therecording device 400 via the recording device controller 303. Onreceiving the command, the recording device 400 causes the controlsection 403 of the recording device cryptography process section 401 toreceive the command via the communication section 404 and clear anauthentication flag 2903. That is, unauthenticated state is set.Alternatively, in such a case that power is supplied from the recordingand reproducing device 300 to the recording device 400, theunauthenticated state (?) may be set on power-on.

[0601] Then, the control section 301 of the recording and reproducingdevice 300 transmits an initialization command to the recording andreproducing device cryptography process section 302. At this point, italso transmits a recording device insertion port number. When therecording device insertion port number is transmitted, even if aplurality of recording devices 400 are connected to the recording andreproducing device 300, the recording and reproducing device 300 cansimultaneously execute authentication with these recording devices 400and transmit and receive data thereto and therefrom.

[0602] On receiving the initialization command, the recording andreproducing device-cryptography process section 302 of the recording andreproducing device 300 causes the control sect-ion thereof to clear theauthentication flag 2904 corresponding to the recording device insertionport number. That is, the unauthenticated state is set.

[0603] Once this initialization process has been completed, the controlsection 301 of the recording and reproducing device 300 sequentiallyoutputs command numbers via the recording device controller 303 in anascending order starting with the command number 0. The command numbermanaging section 2901 of the recording device 400 monitors the commandnumbers input from the recording and reproducing device 300 to ascertainthat they are sequentially input starting with the command number 0, andobtains the corresponding commands from the command register 2902 toexecute various processes such as the authentication process. If theinput command numbers are not in a specified order, an error occurs anda command number acceptance value is reset to an initial state, that is,an executable command number is reset at 0.

[0604] In the command sequences stored in the command register 2902 asshown in FIG. 29, the command numbers are imparted so as to carry outthe authentication process first, and following this process sequence,decryption the key exchange, and encryption process sequence is stored.

[0605] A specific example of the decryption the key exchange, and theencryption process sequence will be explained with reference to FIGS. 30and 31.

[0606]FIG. 30 shows part of the process executed in downloading acontent from the recording and reproducing device 300 to the recordingdevice 400 as previously described in FIG. 22. Specifically, thisprocess is executed between steps 59 and 60 in FIG. 22.

[0607] In FIG. 30, at step S3001, the recording device receives data(ex. the block information table Kbit and the content key Kcon)encrypted with the session key Kses, from the recording and reproducingdevice. Thereafter, the command strings p to s shown in the abovedescribed FIG. 29 are started. The command strings p to s are startedafter the authentication process commands 0 to k have been completed tocause authentication flags 2903 and 2904 shown in FIG. 29 to be set toindicate the completion. This is ensured by the command number managingsection 2901 by accepting the command numbers only in the ascendingorder starting with 0.

[0608] At step S3002, the recording device stores in the register thedata (ex. the block information table Kbit and the content key Kcon)received from the recording and reproducing device and encrypted withthe session key Kses.

[0609] At step S3003, a process is executed which takes the data (ex.the block information table Kbit and the content key Kcon) encryptedwith the session key Kses, out from the register and decrypts them withthe session key Kses.

[0610] At step S3004, a process is executed which encrypts the data (ex.the block information table Kbit and the content key Kcon) decryptedwith the session key Kses, using the storage key Kstr.

[0611] The above process steps 3002 to 3004 correspond to processesincluded in the command numbers p to s in the command registerpreviously described in FIG. 29. These processes are sequentiallyexecuted by the recording device cryptography process section 401 inaccordance with the command numbers p to s received by the commandnumber managing section 2901 of the recording device 400 from therecording and reproducing device 300.

[0612] At the next step S3005, the data (ex. the block information tableKbit and the content key Kcon) encrypted with the storage key Kstr arestored in the external memory of the recording device. At this step, therecording and reproducing device 300 may read the data encrypted withthe storage key Kstr, out from the recording device cryptography processsection 401 and then store them in the external memory 402 of therecording device 400.

[0613] The above described steps S3002 to S3004 constitute anuninterruptible continuously-executed execution sequence; even if, forexample, the recording and reproducing device 300 issues a data readcommand at the end of the decryption process at step S3003, since thisread command differs from the command numbers p to s set in the commandregister 2902 in the ascending order, the command number managingsection 2901 does not accept execution of the read. Accordingly, thedecrypted data resulting from the key exchange in the recording device400 cannot be read out by an external device, for example, the recordingand reproducing device 300, thereby preventing key data or contents frombeing illegally read out.

[0614]FIG. 31 shows part of the content reproducing process previouslydescribed in FIG. 28 in which a content is read out from the recordingdevice 400 and reproduced by the recording and reproducing device 300.Specifically, this process is executed at step 573 in FIG. 28.

[0615] In FIG. 31, at step S3101, the data (ex. the block informationtable Kbit and the content key Kcon) encrypted with the storage key Kstrare read out from the external memory 402 of the recording device 400.

[0616] At step S3102, the data (ex. the block information table Kbit andthe content key Kcon) read out from the memory of the recording deviceand encrypted with the storage key Kstr are stored in the register. Atthis step, the recording and reproducing device 300 may read the dataencrypted with the storage key Kstr, out from the external memory 402 ofthe recording device 400 and then store them in the register of therecording device 400.

[0617] At step S3103, the data (ex. the block information table Kbit andthe content key Kcon) encrypted with the storage key Kstr are taken outfrom the register and decrypted with the storage key Kstr.

[0618] At step S3104, the data (ex. the block information table Kbit andthe content key Kcon) decrypted with the storage key Kstr are encryptedwith the session key Kses.

[0619] The above process steps 3102 to 3104 correspond to processesincluded in the command numbers u to y in the command registerpreviously described in FIG. 29. These processes are sequentiallyexecuted by the recording device cryptography process section 406 inaccordance with the command numbers u to y received by the commandnumber managing section 2901 of the recording device from the recordingand reproducing device 300.

[0620] At the next step S3105, the data (ex. the block information tableKbit and the content key Kcon) encrypted with the session key Kses aretransmitted from the recording device to the recording and reproducingdevice.

[0621] The above described steps S3102 to S3104 constitute anuninterruptible continuously-executed execution sequence; even if, forexample, the recording and reproducing device 300 issues a data readcommand at the end of the decryption process at step S3103, since thisread command differs from the command numbers u to y set in the commandregister 2902 in the ascending order, the command number managingsection 2901 does not accept execution of the read. Accordingly, thedecrypted data resulting from the key exchange in the recording device400 cannot be read out by an external device, for example, the recordingand reproducing device 300, thereby preventing key data or contents frombeing illegally read out.

[0622] For the process shown in FIGS. 30 and 31, the example is shownwhere the block information table key Kbit and the content key Kcon aredecrypted and encrypted by means of key exchange, but these commandsequences stored in the command register 2902 shown in FIG. 29 mayinclude decryption and encryption processes involving key exchanges forthe content itself. The object to be decrypted or encrypted by means ofkey exchanges is not limited to the above described example.

[0623] The key exchange process after the mutual authentication in thepresent data processing apparatus has been described. Thus, the keyexchange process in the present data processing apparatus can be carriedout only after the authentication process between the recording andreproducing device and the recording device has been completed. Further,decrypted data can be prevented from being externally accessed duringthe key exchange process, thereby ensuring the improved security ofcontents and key data.

[0624] (10) Plural Content Data Formats and Download and ReproductionProcesses Corresponding to Each Format

[0625] In the above described embodiment, for example, the data formatfor the medium 500 or communication means 600 shown in FIG. 3 is of thetype shown in FIG. 4. The data format for the medium 500 or thecommunication means 600 is not limited to the one shown in FIG. 4 butpreferably depends on the content, that is, whether the content ismusic, image data, a program such as a game, or the like. A plurality ofdata formats as well as processes for downloading and reproducing datafrom and to the recording device 400 will be explained.

[0626] FIGS. 32 to 35 show four different data formats. A data formatused on the medium 500 or the communication means 600 shown in FIG. 3 isshown in the left of each figure, while a data format used in storingdata in the external memory 402 of the recording device 400 is shown inthe right of each figure. An outline of the data formats shown in FIGS.32 to 35 will first be provided, and the contents of each data in eachformat and differences among data in each format will be explained.

[0627]FIG. 32 shows a format type 0, which is of the same type as thatshown as an example in the above description. The format type 0 ischaracterized in that the entire data are divided into N data blockseach having an arbitrary size, that is, blocks 1 to N, each of which isarbitrarily encrypted so that data can be configured by mixing togetherencrypted blocks and non-encrypted blocks, that is, plain text blocks.The blocks are encrypted with the content key Kcon, which is encryptedwith the distribution key Kdis on the medium or with the storage keyKstr stored in the internal memory of the recording device when it isstored in the recording device. The block information key Kbit is alsoencrypted with the distribution key Kdis on the medium or with thestorage key Kstr stored in the internal memory of the recording devicewhen it is stored in the recording device. These key exchanges arecarried out in accordance with the process described in “(9) KeyExchange Process after Mutual Authentication”.

[0628]FIG. 33 shows a format type 1, in which the entire data aredivided into N data blocks, that is, blocks 1 to N, as in the formattype 0 but which differs from the format type 0 in that the N blocks areall of the same size. The aspect of the process for encrypting blockswith the content key Kcon is similar to that in the format type 0.Additionally, as in the above described format type 0, the content keyKcon and the block information table key Kbit are encrypted with thedistribution key Kdis on the medium or with the storage key Kstr storedin the internal memory of the recording device when it is stored in therecording device. Unlike the format type 0, the format type 1 has afixed block configuration to simplify configuration data such as datalength for each block, thereby enabling a memory size for blockinformation to be reduced compared to the format type 0.

[0629] In the example of configuration in FIG. 33, each block comprisesa set of an encrypted part and a non-encrypted (plain text) part. If thelength and configuration of the block are thus regular, each blocklength or configuration need not be checked during the decryptionprocess or the like, thereby enabling efficient decryption andencryption processes. In the format 1, the parts constituting eachblock, that is, the encrypted part and the non-encrypted (plain text)part can each be defined as an object to be checked, so that the contentintegrity check value ICVi is defined for a block containing a part thatmust be checked.

[0630]FIG. 34 shows a format type 2, which is characterized in that thedata are divided into N data blocks all having the same size, that is,blocks 1 to N, each of which is encrypted with an individual block keyKblc. Each block key Kblc is encrypted with the content key Kcon, whichis encrypted with the distribution key Kdis on the medium or with thestorage key Kstr stored in the internal memory of the recording devicewhen it is stored in the recording device. The block information tablekey Kbit is also encrypted with the distribution key Kdis on the mediumor with the storage key Kstr stored in the internal memory of therecording device when it is stored in the recording device.

[0631]FIG. 35 shows a format type 3, which is characterized in that thedata are divided into N data blocks all having the same size, that is,blocks 1 to N, each of which is encrypted with an individual block keyKblc, as in the format type 2, and in that each block key Kblc isencrypted with the distribution key Kdis on the medium or with thestorage key Kstr on the recording device, without the use of the contentkey. No content key Kcon is present on the medium or on the device. Theblock information table key Kbit is encrypted with the distribution keyKdis on the medium or with the storage key Kstr stored in the internalmemory of the recording device when it is stored in the recordingdevice.

[0632] Next, the contents of the data in the above format types 0 to 3will be described. As previously described, the data are roughly dividedinto two, that is, the header section and the content section. Theheader section contains the content ID, the usage policy, the integritycheck values A and B, the total integrity check value, the blockinformation table key, the content key, and the block information table.

[0633] The usage policy stores the data length of a content, its headerlength, its format type (formats 0 to 3 described below), a content typeindicating whether the content is a program or data, a localization flagthat determines whether the content can be used only by a particularrecording and reproducing device as described in the section relating tothe processes for downloading and reproducing a content to and from therecording device, a permission flag for a content copying or movingprocess, and various localization and process information for thecontent such as a content encryption algorithm and a mode.

[0634] The integrity check value A: ICVa is used to check the content IDand the usage policy and generated using, for example, the methoddescribed in the above described FIG. 23. The block information tablekey Kbit is used to encrypt block information table and is encryptedwith the distribution key Kdis on the medium or with the storage keyKstr stored in the internal memory of the recording device when it isstored in the recording device, as previously described.

[0635] The content key Kcon is used to encrypt a content. For the formattypes 0 and 1, it is encrypted with the distribution key Kdis on themedium or with the storage key Kstr stored in the internal memory of therecording device when it is stored in the recording device, similarly tothe block information table key Kbit. For the format type 2, the contentkey Kcon is also used to encrypt the block key Kblc configured for eachcontent block. Additionally, for the format type 3, no content key Kconis present.

[0636] The block information table describes information on theindividual blocks and stores the size of each block and a flagindicating whether the block has been encrypted, that is, informationindicating whether or not the block is to be checked (ICV). If the blockis to be checked, the block integrity check value ICVi (the integritycheck value for the block i) is defined and stored in the table. Thisblock information table is encrypted with the block information tablekey Kbit.

[0637] If the block has been encrypted, the block integrity check value,that is, the content integrity check value ICVi is generated byexclusive-ORing the entire plain text (decrypted text) every 8 bytes andthen encrypting the obtained value with thecontent-integrity-check-value-generating key Kicvc stored in theinternal memory 307 of the recording and reproducing device 300.Additionally, if the block has not been encrypted, the block integritycheck value is generated by sequentially inputting the entire block data(plain text) to a tamper-check-value-generating function shown in FIG.36 (DES-CBC-MAC using the content-integrity-check-value-generating keyKicvc) in such a manner that 8 bytes are input each time. FIG. 36 showsan example of a configuration for generating the content block integritycheck value ICVi. Each message M constitutes each set of 8 bytes ofdecrypted text data or plain text data.

[0638] For the format type 1, if at least one of the parts in the blockis data to be processed with the integrity check value ICVi, that is, apart to be checked, the content integrity check value ICVi is definedfor that block. An integrity check value P-ICVij for a part j of a blocki is generated by exclusive ORing the entire plain text (decrypted text)every 8 bytes and then encrypting the obtained data with thecontent-integrity-check-value-generating value Kicvc. In addition, if apart j has not bee encrypted, the integrity check value P-ICVij isgenerated by sequentially inputting the entire block data (plain text)to the tamper-check-value-generating function shown in FIG. 36(DES-CBC-MAC using the content-integrity-check-value-generating keyKicvc) in such a manner that 8 bytes are input each time.

[0639] Further, if the block i contains one part having [ICvflag=subject of ICV] indicating that it is to be checked, the integritycheck value P-ICVij generated using the above method is directly used asthe block integrity check value ICVi. If the block i contains aplurality of parts having [ICV flag=subject of ICV] indicating that theyare to be checked, the integrity check value P-ICVij is generated byconnecting a plurality of parts integrity check values P-ICVij togetherin accordance with part numbers to obtain data and sequentiallyinputting the entire data (plain data) to thetemper-check-value-generating function shown in FIG. 37 (DES-CBC-MACusing the content-integrity-check-value-generating key Kicvc) in such amanner that 8 bytes are input each time. FIG. 37 shows an example ofconfiguration for generating the content block content integrity checkvalue ICVi.

[0640] The block integrity check value ICVi is not defined for theformat types 2 or 3.

[0641] The integrity check value B:ICVb is used to check the blockinformation table key, the content key, and the entire block informationtable and generated using, for example, the method described in thepreviously described FIG. 24.

[0642] The total integrity check value ICVt is used to check theentirety of the previously described integrity check values A: ICVa andB: ICVb and the integrity check value ICVi contained in each block ofthe content to be checked and is generated by applying the systemsignature key Ksys to the intermediate integrity check value generatedfrom each integrity check value such as the integrity check value A:ICVa to execute the encryption process as described in the previouslydescribed FIG. 25.

[0643] For the format types 2 and 3, the total integrity check valueICVt is generated by applying the system signature key Ksys to theintermediate integrity check value generated by connecting thepreviously described integrity check values A: ICVa and B: ICVb to thecontent data, that is, the entire content data between the block key inblock 1 and the final block, to execute the encryption process. FIG. 38shows an example of configuration for generating the total integritycheck value ICVt for the format types 2 and 3.

[0644] The unique integrity check value ICVdev is substituted with thetotal integrity check value ICVt if the previously describedlocalization flag is set to 1, that is, indicates that the content canbe used only by a particular recording and reproducing device. For theformat types 0 and 1, the unique integrity check value ICVdev isgenerated to check the previously described integrity check values A:ICVa and B: ICVb and the integrity check value ICVi contained in eachblock of the content to be checked. Specifically, the unique integritycheck value ICVdev is generated by applying the recording andreproducing device signature key Kdev to the intermediate integritycheck value generated from the integrity check values such as theintegrity check value A: ICVa, as explained in the previously describedFIG. 25 or 38.

[0645] Next, processes for downloading a content of each of the formattypes 0 to 3 from the recording and reproducing device 300 to therecording device 400 and processes executed by the recording andreproducing device 300 to reproduce a content of each of the formattypes 0 to 3 from the recording device 400 will be described withreference to the flow charts in FIGS. 39 to 44.

[0646] First, the process for downloading a content of the format type 0or 1 will be explained with reference to FIG. 39.

[0647] The process shown in FIG. 39 is started, for example, byinstalling the recording device 400 into the recording and reproducingdevice 300 shown in FIG. 3. At step S101, authentication is executedbetween the recording and reproducing device and the recording device,and this step is carried out in accordance with the authenticationprocess flow previously described in FIG. 20.

[0648] If the authentication process at step S101 has been completed toset the authentication flag, then at step S102, the recording andreproducing device 300′ reads data of a predetermined format from themedium 500 via the read section 304, the medium 500 storing contentdata, or uses the communication section 305 to receive data from thecommunication means 600 in accordance with a predetermined format. Then,the control section 301 of the recording and reproducing device 300transmits the header section of the data to the recording andreproducing device cryptography process section 302 of the recording andreproducing device 300.

[0649] Next, at step S103, the control section 306 of the recording andreproducing device cryptography process section 302 causes theencryption/decryption section 308 of the recording and reproducingdevice cryptography process section 302 to calculate the integrity checkvalue A. The integrity check value A is calculated in accordance withthe ICV calculation method described in FIG. 7, using as a key theintegrity-check-value-A-generating key Kicva stored in the internalmemory 307 of the recording and reproducing device cryptography processsection 302 and using the content ID and the usage policy as a message,as shown in FIG. 23. Then at step S104, the integrity check value A andthe check value: ICVa stored in the header are compared together, and ifthey are equal, the process proceeds to step S105.

[0650] As previously described, the check value A, ICVa is used toverify that the content ID and the usage policy have not been tampered.If the integrity check value A calculated, for example, in accordancewith the ICV calculation, using as a key theintegrity-check-value-A-generating key Kicva stored in the internalmemory 307 of the recording and reproducing device cryptography processsection 302 and using the content ID and the usage policy as a message,equals the check value: ICVa stored in the header, it is determined thatthe content ID and the usage policy have not been tampered.

[0651] Next, at step S105, the control section 306 of the recording andreproducing device cryptography process section 302 causes theencryption/decryption section 308 of the recording and reproducingdevice cryptography process section 302 to obtain or generate thedistribution key Kdis. The distribution key Kdis is generated using, forexample, the master key MKdis for the distribution key, as in step S53in the previously described FIG. 22.

[0652] Then at step S106, the control section 306 of the recording andreproducing device cryptography process section 302 uses theencryption/decryption section 308 of the recording and reproducingdevice cryptography process section 302 as well as the generateddistribution key Kdis, to decrypt the block information table key Kbitand content key Knon stored in the header section of the data obtainedfrom the medium 500 via the read section 304 or received from thecommunication means 600 via the communication section 305.

[0653] Further, at step S107, the control section 306 of the recordingand reproducing device cryptography process section 302 uses theencryption/decryption section 308 of the recording and reproducingdevice cryptography process section 302 to decrypt the block informationtable with the decrypted block information table key Kbit.

[0654] Further, at step S108, the control section 306 of the recordingand reproducing device cryptography process section 302 calculates theintegrity check value B (ICVb′) from the block information table keyKbit, the content key Kcon, and the block information table (BIT). Theintegrity check value B is generated, as shown in FIG. 24, by using as akey the integrity-check-value-B-generating key Kicvb stored in theinternal memory 307 of the recording and reproducing device cryptographyprocess section 302, to decrypt an exclusive-ORed value based on theDES, the exclusive-ORed value comprising the block information table keyKbit, the content key Kcon, and the block information table (BIT). Thenat step S109, the integrity check value B and the ICVb in the header arecompared together, and if they are equal, the process proceeds to stepS110.

[0655] As previously described, the check value B, ICVb is used toverify that the block information table key Kbit, the content keyKcon,/and the block information table have not been tampered. If theintegrity check value B generated by using as a key theintegrity-check-value-B-generating key Kicvb stored in the internalmemory 307 of the recording and reproducing device cryptography processsection 302, dividing the block information table key Kbit, the contentkey Kcon, and the block information table (BIT) into 8-byte pieces,exclusive-Oring these data, and encrypting the exclusive-ORed data basedon the DES, equals the check value: ICVb stored in the header, it isdetermined that the block information table key Kbit, the content keyKcon, and the block information table have not been tampered.

[0656] At step S110, the control section 306 of the recording andreproducing device cryptography process section 302 causes theencryption/decryption section 308 of the recording and reproducingdevice cryptography process section 302 to calculate the intermediateintegrity check value. The intermediate value is calculated inaccordance with the ICV calculation method described in FIG. 7 or thelike, using as a key the total-integrity-check-value-generating keyKicvt stored in the internal memory 307 of the recording and reproducingdevice cryptography process section 302 and using the integrity checkvalues A and B and all the held content integrity check values as amessage. The intermediate integrity check value generated is stored inthe recording and reproducing device cryptography process section 302 ofthe recording and reproducing device 300 as required.

[0657] Next, at step S11l, the control section 306 of the recording andreproducing device cryptography process section 302 causes theencryption/decryption section 308 of the recording and reproducingdevice cryptography process section 302 to calculate the total integritycheck value ICVt′. As shown in FIG. 25, the total integrity check valueICVt is generated by using as a key a system signature key Ksys storedin the internal memory 307 of the recording and reproducing devicecryptography process section 302, to encrypt the intermediate integritycheck value based on the DES. Then at step S112, the total integritycheck value ICVt generated and the ICVt′ in the header stored at stepS112 are compared together, and if they are equal, the process proceedsto step S113. As previously described in FIG. 4, the total integritycheck value ICVt is used to verify that all of the integrity checkvalues ICVa and ICVb and the integrity check value for each contentblock have not been tampered. Thus, if the total integrity check valuegenerated by means of the above described process equals the integritycheck value: ICVt stored in the Header, it is determined that all of theintegrity check values ICVa and ICVb and the integrity check value foreach content block have not been tampered.

[0658] Then at step S113, the control section 301 of the recording andreproducing device 300 takes content block information out from theblock information table (BIT) and checks whether any content block is tobe verified. If any content block is to be verified, the contentintegrity check value has been stored in the block information in theheader.

[0659] If any content block is to be verified, then at step S114, thecontrol section 301 reads this content block out from the medium 500using the read section 304 of the recording and reproducing device 300or received from the communicating means 600 by using the communicationsection 305 of the recording and reproducing device 300, and transmitsthe content block to the recording and reproducing device cryptographyprocess section 302 of the recording and reproducing device 300. Onreceiving the content block, the control section 306 of the recordingand reproducing device cryptography process section 302 causes theencryption/decryption section 308 of the recording and reproducingdevice cryptography process section 302 to calculate the contentintegrity check value ICVi′.

[0660] If the block has been encrypted, the content integrity checkvalue ICVi is generated by decrypting the input content block in the DESCBC mode using the content key Kcon, exclusive-ORing all of thedecrypted text every 8 bytes, and then encrypting the generated contentintermediate value with the content-integrity-check-value-generating keyKicvc stored in the internal memory 307 of the recording and reproducingdevice 300. Additionally, if the block has not been encrypted, thecontent integrity check value is generated by sequentially inputting theentire block data (plain text) to the tamper-check-value-generatingfunction shown in FIG. 36 (DES-CBC-MAC using thecontent-integrity-check-value-generating key Kicvc) in such a mannerthat 8 bytes are input each time.

[0661] Then at step S115, the control section 306 of the recording andreproducing device cryptography process section 302 compares thiscontent integrity check value with the ICV in the content block receivedfrom the control section 301 of the recording and reproducing device 300at step S102, and passes the result to the control section 301 of therecording and reproducing device 300. On receiving the result and if theverification has been successful, the control section 301 of therecording and reproducing device 300 takes out the next content block tobe verified and causes the recording and reproducing device cryptographyprocess section 302 of the recording and reproducing device 300 toverify this content block. Similar verification processes are repeateduntil all the content blocks are verified (step S116).

[0662] In this regard, if the check values are not equal at any of steps104, 109, 112, and 115, an error occurs to end the download process.

[0663] Then at step S117, the recording and reproducing devicecryptography process section 302 of the recording and reproducing device300 causes the encryption/decryption section 308 of the recording andreproducing device cryptography process section 302 to encrypt the blockinformation key Kbit and content key Kcon decrypted at step S106, usingthe session key Kses made sharable during the mutual authentication. Thecontrol section 301 of the recording and reproducing device 300 readsthe block information table key Kbit and the content key Kcon out fromthe recording and reproducing device cryptography process section 302 ofthe recording and reproducing device 300 and then transmits them to therecording device 400 via the recording device controller 303 of therecording and reproducing device 300.

[0664] Then at step S118, on receiving the block information table keyKbit and the content key Kcon transmitted from the recording andreproducing device 300, the recording device 400 causes theencryption/decryption section 406 of the recording device cryptographyprocess section 401 to decrypt the received data with the session keyKses made sharable during the mutual authentication and to thenreencrypt the decrypted data using the storage key Kstr unique to therecording device which is stored in the internal memory 405 of therecording device cryptography process 401. Then, the control section 301of the recording and reproducing device 300 reads the block informationkey Kbit and the content key Kcon out from the recording device 400 viathe recording device controller 303 of the recording and reproducingdevice 300, the block information key Kbit and the content key Kconbeing reencrypted with the storage key Kstr. That is, the blockinformation table key Kbit encrypted with the distribution key Kdis isexchanged with the content key Kcon.

[0665] Then at step S119, the control section 301 of the recording andreproducing device 300 takes the localization field out from the usagepolicy in the header section of the data, to determine whether thedownloaded content can be used only in this recording and reproducingdevice 300. If the localization field is set to 1, the downloadedcontent can be used only by the recording and reproducing device 300, ifthe localization field is set to 0, the downloaded content can also beused by other similar recording and reproducing devices 300. If theresult of the determination shows that the localization field is set to1, the process proceeds to step S120.

[0666] At step S120, the control section 301 of the recording andreproducing device 300 causes the recording and reproducing devicecryptography process section 302 of the recording and reproducing device300 to calculate the integrity check value unique to the recording andreproducing device. The integrity check value unique to the recordingand reproducing device is generated by using as a key a recording andreproducing device signature key Kdev stored in the internal memory 307of the recording and reproducing device cryptography process section302, to encrypt the intermediate integrity check value based on the DES,the intermediate integrity check value being generated at step S110. Thecalculated integrity check value ICVdev unique to the recording andreproducing device substitutes for the total integrity check value ICVt.

[0667] As previously described, the system signature key Ksys is used toadd a common signature or ICV to the distribution system, and therecording and reproducing device signature key Kdev varies depending onthe recording and reproducing device and is used by the recording andreproducing device to add a signature or ICV. That is, data signed withthe system signature key Ksys are successfully checked by a system(recording and reproducing device) having the same system signature key,that is, such data have the same total integrity check value ICVt so asto be sharable. If, however, data are signed with the recording andreproducing device signature key Kdev, since this signature key isunique to the recording and reproducing device, the data signed with therecording and reproducing device signature key Kdev, that is, the datastored in a recording device after the signing cannot be reproduced ifan attempt is made to reproduce them after this recording device hasbeen inserted in another recording and reproducing device; that is, anerror occurs due to the unequal integrity check values ICVdev unique tothe recording and reproducing device. In the data processing apparatusaccording to the present invention, the setting of the localizationfield enables contents to be arbitrarily set so as to be sharedthroughout the entire system or used only by particular recording andreproducing devices.

[0668] Next, at step S121, the control section 301 of the recording andreproducing device 300 causes the recording and reproducing devicecryptography process section 302 to form a storage data format. Aspreviously described, one of the three format types 0 to 3 is set in theusage policy (see FIG. 5) in the header so that data are formed inaccordance with the storage format in the right of one of the previouslydescribed FIGS. 32 to 35 depending on the set type. The flow shown inFIG. 39 is for the format 0 or 1, so that the data are formed into oneof the formats in FIGS. 32 and 33.

[0669] Once the storage data format has been completed at step S121, thecontrol section 301 of the recording and reproducing device 300 storesthe content in the external memory 402 of the recording device 400 atstep S122.

[0670] How the process for downloading content data of the format type 0or 1 is carried out has been described.

[0671] The process for downloading content data of the format type 2will be explained with reference to FIG. 40. Differences from the abovedescribed process for downloading data of the format type 0 or 1 will befocused on.

[0672] Steps S101 to S109 are similar to the above described process fordownloading data of the format type 0 or 1, so description thereof isomitted.

[0673] Since the format type 2 has no content integrity check value ICVidefined therefor as previously described, the block information tablecontains no content integrity check value ICVi. The intermediateintegrity check value in the format type 2 is generated by applying thesystem signature key Ksys to the intermediate integrity check valuegenerated by connecting the integrity check values A and B to the entirecontent data between the leading data of the first block (the block keyin the block 1) and the final block, to execute the encryption process.

[0674] Thus, in the process for downloading data of the format type 2,the content data are read out at step S151, and the intermediateintegrity check value is generated based on the integrity check values Aand B and the read-out content data at step S152. In this regard, thecontent data are not decrypted even if they have been encrypted.

[0675] For the format type 2, the processes for decrypting the blockdata and collating the content integrity check values are omittedcontrary to the previously described process for the format type 0 or 1,thereby increasing the processing speed.

[0676] The processing at step S111 and subsequent steps is similar tothat for the format type 0 or 1, so description thereof is omitted.

[0677] How the process for downloading content data of the format type 2is carried out has been described. As described above, the process fordownloading data of the format type 2 omits the processes for decryptingthe block data and collating the content integrity check values contraryto the process for the format type 0 or 1, thereby increasing theprocessing speed; this format is thus suitable for processing of musicdata or the like which must be executed in real time.

[0678] Next, the process for downloading content data of format type 3will be described with reference to FIG. 41. The following descriptionwill focus on differences from the above described download process forthe format types 0, 1, and 2.

[0679] Steps S101 to S105 are similar to those of the above describeddownload process for the format types 0, 1, and 2.

[0680] The process for the format type 3 essentially has manycharacteristics in common with that for the format type 2, but differstherefrom in that the format type 3 has no content key in that the blockkey Kblc is stored in the recording device after encryption with thestorage key Kstr.

[0681] The following description will focus on the differences betweenthe download process for the format type 3 and that for the format type2. With the format type 3, at step S161, following step S105, the blockinformation table key is decrypted. The control section 306 of therecording and reproducing device cryptography process section 302 usesthe encryption/decryption section 308 of the recording and reproducingdevice cryptography process section 302 as well as the distribution keyKdis generated at step S105 to decrypt the block information table keyKbit stored in the header section of the data obtained from the medium500 via the read section 304 or received from the communication means600 via the communication section 305. With the format type 3, datacontains no content key Kcon, so that the process for decrypting thecontent key Kcon is not executed.

[0682] At the next step S107, the block information table key Kbitdecrypted at step S161 is used to decrypt the block information table,and at step S162, the control section 306 of the recording andreproducing device cryptography process section 302 generates integritycheck value B(ICVb′) from the block information table key Kbit and blockinformation table (BIT). The integrity check value B is generated byusing as a key the integrity-check-value-B-generating key Kicvb storedin the internal memory 307 of the recording and reproducing devicecryptography process section 302, to encrypt the exclusive-ORed valuecomprising the block information table key Kbit and block informationtable (BIT), based on the DES. Next, at step S109, the integrity checkvalue B and the ICVb in the header are compared together, and if theyare equal, the process proceeds to step S151.

[0683] With the format type 3, the check value B, ICVb functions toverify that the block information table key Kbit and the blockinformation table have not been tampered. If the integrity check value Bgenerated equals the check value: ICVb stored in the header, it isdetermined that the block information table key Kbit and the blockinformation table have not been tampered.

[0684] Steps S151 to S112 are similar to those of the process for theformat type 2, and description thereof is omitted.

[0685] At step S163, the block key Kblc contained in the content dataread out at step S151 is decrypted with the distribution key Kdisgenerated at step S105.

[0686] Then at step S164, the recording and reproducing devicecryptography process section 302 of the recording and reproducing device300 causes the encryption/decryption section 308 of the recording andreproducing device cryptography process section 302 to encrypt the blockinformation key Kbit decrypted at step S161 and the block key Kblockdecrypted at step S163, using the session key Kses made sharable duringthe mutual authentication. The control section 301 of the recording andreproducing device 300 reads the block information table key Kbit andthe block key Kblc out from the recording and reproducing devicecryptography process section 302 of the recording and reproducing device300 and then transmits these data to the recording device 400 via therecording device controller 303 of the recording and reproducing device300.

[0687] Then at step S165, on receiving the block information table keyKbit and the block key Kblc transmitted from the recording andreproducing device 300, the recording device 400 causes theencryption/decryption section 406 of the recording device cryptographyprocess section 401 to decrypt the received data with the session keyKses made sharable during the mutual authentication and to thenreencrypt the decrypted data using the storage key Kstr unique to therecording device which is stored in the internal memory 405 of therecording device cryptography process 401. The control section 301 ofthe recording and reproducing device 300 reads the block informationtable key Kbit and the block key Kblc reencryted by a storage key Kstrfrom the recording device 400 via the recording device controller of therecording and reproducing device 300. That is, the block informationtable key Kbit and block key Kblc initially encrypted with thedistribution key Kdis are replaced with the block information table keyKbit and block key Kblc reencrypted with the storage key Kstr.

[0688] The subsequent steps S119 to S122 are similar to those for theformat types 0, 1, and 2, so description thereof is omitted.

[0689] The aspect of the process for downloading content data of theformat type 3 has been described. As described above, the downloadprocess for the format type 3 omits the decryption of the block data andthe process for collating the content integrity check value as for theformat type 2, thereby enabling prompt processing; the format type 3 isthus suitable for processing data such as music data which requiresreal-tile processing. In addition, since the range within which theencrypted content is protected is localized by the block key Kblc,advanced security is achieved compared to the format type 2.

[0690] Next, processes for reproducing data of each of the format types0 to 3 from the recording device 400 of the recording and reproducingdevice 300 will be explained with reference to the flow charts in FIGS.42 to 45.

[0691] First, a process for reproducing a content of the format type 0will be explained with reference to FIG. 42.

[0692] Step S201 corresponds to an authentication process between therecording and reproducing device and the recording device and isexecuted in accordance with the authentication process flow previouslydescribed in FIG. 20.

[0693] Once the authentication process at step S201 has been completedto set the authentication flag, at step S202, the recording andreproducing device 300 reads the header of data of a predeterminedformat out from the recording device 400 and transmits it to therecording and reproducing device cryptography process section 302 of therecording and reproducing device 300.

[0694] Then at step S203, the control section 306 of the recording andreproducing device cryptography process section 302 causes theencryption/decryption section 308 of the recording and reproducingdevice cryptography process section 302 to calculate the integrity checkvalue A. The integrity check value A is calculated using as a key theintegrity-check-value-A-generating key Kicva stored in the internalmemory 307 of the recording and reproducing device cryptography processsection 302 and using the content ID and the usage policy as a message,as shown in the previously described FIG. 23. Then, the integrity checkvalue A and the check value: ICVa stored in the header are comparedtogether at step S204, and if they are equal, the process proceeds tostep S205.

[0695] The check value A, ICVa is used to verify that the content ID andthe usage policy have not been tampered. If the calculated integritycheck value A equals the check value: ICVa stored in the header, it isdetermined that the content ID and the usage policy have not beentampered.

[0696] Then at step S205, the control section 301 of the recording andreproducing device 300 takes out, from the read-out header section, theblock information table key Kbit and content key Kcon encrypted with thestorage key Kstr unique to the recording device and then transmits themto the recording device 400 via the recording device controller 303 ofthe recording and reproducing device 300.

[0697] On receiving the block information table key Kbit and the contentkey Kcon transmitted from the recording and reproducing device 300, therecording device 400 causes the encryption/decryption section 406 of therecording device cryptography process section 401 to decrypt thereceived data with the storage key Kstr unique to the recording devicewhich is stored in the internal memory 405 of the recording devicecryptography process and to then reencrypt the decrypted data using thesession key Kses made sharable during the mutual authentication. Thisprocess is as previously described in detail in (9) Key Exchange Processafter Mutual Authentication.

[0698] At step S206, the control section 301 of the recording andreproducing device 300 receives the block information table key Kbit andcontent key Kcon reencrypted with the session key Kses, from therecording device 400 via the recording device controller 303 of therecording and reproducing device 300.

[0699] Then at step S207, the control section 301 of the recording andreproducing device 300 transmits the received block information tablekey Kbit and content key Kcon which are reencrypted with the session keyKses, to the recording and reproducing device cryptography processsection 302 of the recording and reproducing device 300. On receivingthe block information table key Kbit and content key Kcon reencryptedwith the session key Kses the content block, the cryptography processsection 302 of the recording and reproducing device 300 causes theencryption/decryption section 308 of the recording and reproducingdevice cryptography process section 302 to decrypt these keys Kbit andKcon with the session key Kses made sharable during the mutualauthentication.

[0700] Further at step S208, the decrypted block information table keyKbit is used to decrypt the block information read out at step S202. Therecording and reproducing device cryptography process section 302 of therecording and reproducing device 300 replaces the decrypted blockinformation table key Kbit, content key Kcon, and block informationtable BIT with the block information table key Kbit, content key Kcon,and block information table BIT contained in the header read out at stepS202, to hold the latter. Additionally, the control section 301 of therecording and reproducing device 300 reads the decrypted blockinformation table BIT out from the recording and reproducing devicecryptography process section 302 of the recording and reproducing device300.

[0701] Further, at step S209, the control section 306 of the recordingand reproducing device cryptography process section 302 generates theintegrity check value B(ICVb′) from the block information table keyKbit, the content key Kcon, and the block information table (BIT). Theintegrity check value B is generated, as shown in FIG. 24, by using as akey the integrity-check-value-B-generating key Kicvb stored in theinternal memory 307 of the recording and reproducing device cryptographyprocess section 302, to decrypt the exclusive-ORed value comprising theblock information table key Kbit, the content key Kcon, and the blockinformation table (BIT), based on the DES. Then at step S210, theintegrity check value B and the ICVb in the header are comparedtogether, and if they are equal, the process proceeds to step S211.

[0702] The check value B, ICVb is used to verify that the blockinformation table key Kbit, the content key Kcon, and the blockinformation table have not been tampered. If the integrity check value Bgenerated equals the check value: ICVb stored in the header, it isdetermined that the block information table key Kbit, the content keyKcon, and the block information table stored in the recording device 400have not been tampered.

[0703] At step S211, the control section 306 of the recording andreproducing device cryptography process section 302 causes theencryption/decryption section 308 of the recording and reproducingdevice cryptography process section 302 to calculate the intermediateintegrity check value. The intermediate value is calculated inaccordance with the ICV calculation method described in FIG. 7, using asa key the total-integrity-check-value generating key Kicvt stored in theinternal memory 307 of the recording and reproducing device cryptographyprocess section 302 and using the integrity check values A and B in theverified header and all the content integrity check values in the blockinformation table as a message as shown in FIG. 25. In this regard, theintermediate integrity check value generated is stored in the recordingand reproducing device cryptography process section 302 of the recordingand reproducing device 300 as required.

[0704] Next, at step S212, the control section 301 of the recording andreproducing device 300 takes the localization field out from the usagepolicy contained in the header section of the data read from theexternal memory 402 of the recording device 400 to determine whether thecontent to be reproduced can be used only by this recording andreproducing device 300 (in this case, the localization field is setto 1) or also by other similar recording and reproducing devices 300 (inthis case, the localization field is set to 0). If the result of thedetermination shows that the localization field is set to 1, that is,the reproduced content can be used only by this recording andreproducing device 300, the process proceeds to step S213. If thelocalization field is set to 0, that is, the reproduced content can alsobe used by other similar recording and reproducing devices 300, theprocess proceeds to step S215. The processing at step S211 may beexecuted by the cryptography process section 302.

[0705] At step S213, the control section 301 of the recording andreproducing device 300 causes the recording and reproducing devicecryptography process section 302 of the recording and reproducing device300 to calculate the integrity check value ICVdev′ unique to therecording and reproducing device. The integrity check value ICVdev′unique to the recording and reproducing device is generated, as shown inFIG. 25, by using as a key a recording and reproducing device signaturekey Kdev stored in the internal memory 307 of the recording andreproducing device cryptography process section 302, to decrypt theintermediate integrity check value based on the DES, the intermediateintegrity check value being held at step S58.

[0706] Then at step S214, the integrity check value ICVdev′ unique tothe recording and reproducing device calculated at step S213 and theICVdev in the header read out at step S202 are compared together, and ifthey are equal, the process proceeds to step S217.

[0707] On the other hand, at step S215, the control section 306 of therecording and reproducing device cryptography process section 302 causesthe encryption/decryption section 308 of the recording and reproducingdevice cryptography process section 302 to calculate the total integritycheck value ICVt. The total integrity check value ICVt′ is generated byusing as a key the system signature key Ksys stored in the internalmemory 307 of the recording and reproducing device cryptography processsection 302, to decrypt the intermediate integrity check value based onthe DES, as shown in FIG. 25. Then at step S216, the total integritycheck value ICVt′ generated and the ICVt in the header are comparedtogether, and if they are-equal, the process proceeds to step S217.

[0708] The total integrity check value ICVt and the integrity checkvalue ICVdev unique to the recording and reproducing device are used toverify that all of the integrity check values ICVa and ICVb and theintegrity check value for each content block have not been tampered.Thus, if the total integrity check value generated by means of the abovedescribed process equals the integrity check value: ICVt or ICVdevstored in the header, it is determined that all of the integrity checkvalues for each content block have not been tampered.

[0709] Next, at step S217, the control section 301 of the recording andreproducing device 300 reads the block data out from the recordingdevice 400. Furthermore, at step S218, it is determined whether or notthe data have been encrypted, and if the data have been encrypted, thecryptography process section 302 of the recording and reproducing device300 decrypts the block data. If the data have not been encrypted, theprocess skips step S219 and advances to step S220.

[0710] Then at step S220, the control section 301 of the recording andreproducing device 300 checks whether any content block is to beverified, based on the content block information table in the blockinformation table (BIT). If any content block is to be verified, thecontent integrity check value has been stored in the block informationin the header. In this case, the content integrity check value ICVi forthis content block is calculated at step S221. If no content block is tobe verified, the process skips steps S221 and S222 to advance to stepS223.

[0711] If the block has been encrypted as previously described in FIG.36, the content integrity check value ICVi′ is generated by decryptingthe input content block with the content key Kcon in the DES CBC mode,exclusive-ORing all of the result every 8 bytes to generate the contentintermediate value, and then encrypting the obtained value with thecontent-integrity-check-value-generating key Kicvc stored in theinternal memory 307 of the recording and reproducing device 300.Additionally, if the block has not been encrypted, the content integritycheck value is generated by sequentially inputting the entire data(plain text) to the tamper-check-value-generating function shown in FIG.36 (DES-CBC-MAC using the content-integrity-check-value-generating keyKicvc) in such a manner that 8 bytes are input each time.

[0712] At step S222, the control section 306 of the recording andreproducing device cryptography process section 302 compares thegenerated content integrity check value ICVi′ with the ICVi stored inthe content block received from the recording device 400 at step S202,and passes the result to the control section 301 of the recording andreproducing device 300. On receiving the result and if the verificationhas been successful, the content plain data for execution (reproduction)on the RAM of the recording and reproducing device system at step S223.The control section 301 of the recording and reproducing device 300takes out the next content block to be verified and causes the recordingand reproducing device cryptography process section 302 of the recordingand reproducing device 300 to verify this content block. Similarverification processes and RAM storage processes are repeated until allthe content blocks are verified (step S224).

[0713] If the check values do not match at any of steps S204, S210,S214, 5216, and S222, an error occurs to end the reproduction process.

[0714] When it is determined at step S224 that all the blocks have beenread out, the process proceeds to step S225 to start executing andreproducing the content (program or data).

[0715] The aspect of the process for reproducing content data of theformat type 0 has been explained.

[0716] Next, the process for downloading content data of the format type1 will be explained with reference to FIG. 43. The following descriptionwill focus on differences from the above described download process forthe format type 0.

[0717] The processing from steps S201 to S217 is similar to that in theabove described download process for the format type 0, so descriptionthereof is omitted.

[0718] For the format type 1, at step S231, encrypted parts aredecrypted to generate a part ICV. Further at step S232, the block ICVi′is generated. As previously described, with the format type 1, if atleast one of the parts in a block contains data to be verified with theintegrity check value ICVi, the content integrity check value ICVi isdefined for this block. If the part j has been encrypted, an integritycheck value P-ICVij for a part j of a block i is generated byexclusive-ORing the entire plain text (decrypted text) every 8 bytes anddecrypting the obtained value with thecontent-integrity-check-value-generating key Kicvc. Additionally, if thepart j has not been encrypted, the integrity check value P-ICVij isgenerated by sequentially inputting the entire data (plain text) to thetamper-check-value-generating function shown in FIG. 36 (DES-CBC-MACusing the content-integrity-check-value-generating key Kicvc) in such amanner that 8 bytes are input each time.

[0719] Further, if the block i contains only one part having [ICVflag=subject of ICV] indicating that it is to be checked, the integritycheck value P-ICVij generated using the above method is directly used asthe block integrity check value ICVi. If the block i contains aplurality of parts having [ICV flag=subject of ICV] indicating that theyare to be checked, the integrity check value P-ICVij is generated byconnecting a plurality of parts integrity check values P-ICVij togetherin accordance with part numbers to obtain data and sequentiallyinputting the entire data (plain text) to thetamper-check-value-generating function shown in FIG. 36 (DES-CBC-MACusing the content-integrity-check-value-generating key Kicvc) in such amanner that 8 bytes are input each time. This is the same as explainedin FIG. 37.

[0720] For the format type 1, the content integrity check valuegenerated by means of the above described procedure undergoes comparisonat step S222. Processing at the next step S223 and the subsequent stepsis similar to that for the format type 0, so description thereof isomitted.

[0721] Next, the process for reproducing content data of the format type2 will be explained with reference to FIG. 44. The following descriptionwill focus on differences from the above described reproductionprocesses for the format types 0 and 2.

[0722] Steps S201 to S210 is similar to that in the above describedreproduction processes for the format types 0 and 1, so descriptionthereof is omitted.

[0723] For the format type 2, the processing at steps S211 to S216,which is executed for the format ×types 0 and 1, is not executed. Inaddition, the format type 2 has no content integrity check value, sothat verification of the content integrity check value, which isexecuted for the format types 0 and 1, is not executed.

[0724] In the data reproduction process for the format type 2, afterstep S210 for verifying the integrity check value B, the processproceeds to step S217 where the block data are read out under thecontrol of the control section 301 of the recording and reproducingdevice 300. Further, at step S241, the cryptography process section 306of the recording and reproducing device 300 decrypts the block key Kblccontained in the block data. The block key Kblc stored in the recordingdevice 400 has been encrypted with the content key Kcon as shown in FIG.34 and is thus decrypted with the content key Kcon decrypted at theprevious step S207.

[0725] Then at step S242, the block key Kblc decrypted at step S241 isused to decrypt the block data. Furthermore, at step S243, the content(program or data) is executed and reproduced. The processing from stepsS217 to S243 is repeated for all the blocks. When it is determined atstep S244 that all the blocks have been read out, the reproductionprocess is ended.

[0726] As described above, the process for the format type 2 omits theprocess for verifying the integrity check value such as the totalintegrity check value. It thus provides a configuration suitable forexecuting the decryption process at a high speed and a format suitablefor processing data such as music data which requires real-timeprocessing.

[0727] Next, the process for reproducing content data of format type 3will be described with reference to FIG. 45. The following descriptionwill focus on differences from the above described reproduction processfor the format types 0, 1, and 2.

[0728] The process for the format type 3 essentially has manycharacteristics in common with that for the format type 2, but differstherefrom in that, as described in FIG. 35, the format type 3 has nocontent key in that the block key Kblc is stored in the recording deviceafter encryption with the storage key Kstr.

[0729] Between steps S201 and S210, processing at steps S251, S252,S253, and S254 is configured to omit the use of the content key contraryto the corresponding processing for the formats 0, 1, and 2.

[0730] At step S251, the control section 301 of the recording andreproducing device 300 takes out, from the read-out header, the blockinformation table key Kbit encrypted with the storage key Kstr unique tothe recording device and then transmits this key to the recording device400 via the recording device controller 303 of the recording andreproducing device 300.

[0731] On receiving the block information table key Kbit transmittedfrom the recording and reproducing device 300, the recording device 400causes the encryption/decryption section 406 of the recording devicecryptography process section 401 to decrypt the received data with thestorage key Kstr unique to the recording device which is stored in theinternal memory 405 of the recording device cryptography process section401 and to then reencrypt the decrypted data using the session key Ksesmade sharable during the mutual authentication. This process is aspreviously described in detail in (9) Key Exchange Process after MutualAuthentication.

[0732] At step S252, the control section 301 of the recording andreproducing device 300 receives the block information table key Kbitreencrypted with the session key Kses, from the recording device 400 viathe recording device controller 303 of the recording and reproducingdevice 300.

[0733] Then at step S253, the control section 301 of the recording andreproducing device 300 transmits the received block information tablekey Kbit reencrypted with the session key Kses, to the recording andreproducing device cryptography process section 302 of the recording andreproducing device 300. On receiving the block information table keyKbit reencrypted with the session key Kses the content block, therecording and reproducing device cryptography process section 302 of therecording and reproducing device 300 causes the encryption/decryptionsection 308 of the recording and reproducing device cryptography processsection 302 to decrypt this block information table key Kbit with thesession key Kses made sharable during the mutual authentication.

[0734] Further at step S208, the decrypted block information table keyKbit is used to decrypt the block information read out at step S202. Therecording and reproducing device cryptography process section 302 of therecording and reproducing device 300 replaces the decrypted blockinformation table key Kbit and block information table BIT with theblock information table key Kbit and block information table BITcontained in the header read out at step S202, to hold the latter.Additionally, the control section 301 of the recording and reproducingdevice 300 reads the decrypted block information table BIT out from therecording and reproducing device cryptography process section 302 of therecording and reproducing device 300.

[0735] Further, at step S254, the control section 306 of the recordingand reproducing device cryptography process section 302 generates theintegrity check value B(ICVb′) from the block information table key Kbitand the block information table (BIT). The integrity check value B isgenerated, as shown in FIG. 24, by using as a key theintegrity-check-value-B-generating key Kicvb stored in the internalmemory 307 of the recording and reproducing device cryptography processsection 302, to decrypt the exclusive-ORed value comprising the blockinformation table key Kbit and the block information table (BIT), basedon the DES. Then at step S210, the integrity check value B and the ICVbin the header are compared together, and if they are equal, the processproceeds to step S211.

[0736] With the format type 3, the block key is further encrypted withthe storage key when stored in the recording device, thereby requiringthe recording device 400 to execute a decryption processes with thestorage key and the session key Kses and also requiring the recordingand reproducing device 300 to execute a decryption process with thesession key. This series of steps correspond to the process steps shownas steps S255 and S256.

[0737] At step S255, the control section 301 of the recording andreproducing device 300 takes out, from the read-out header, the blockkey Kblc encrypted with the storage key Kstr unique to the recordingdevice which has been read out at step S217 and then transmits this keyto the recording device 400 via the recording device controller 303 ofthe recording and reproducing device 300.

[0738] On receiving the block key Kblc transmitted from the recordingand reproducing device 300, the recording device 400 causes theencryption/decryption section 406 of the recording device cryptographyprocess section 401 to decrypt the received data with the storage keyKstr unique to the recording device which is stored in the internalmemory 405 of the recording device cryptography process section 401 andto then reencrypt the decrypted data using the session key Kses madesharable during the mutual authentication. This process is as previouslydescribed in detail in (9) Key Exchange Process after MutualAuthentication.

[0739] At step S256, the control section 301 of the recording andreproducing device 300 receives the block key Kblc reencrypted with thesession key Kses, from the recording device 400 via the recording devicecontroller 303 of the recording and reproducing device 300.

[0740] Then, at step S257, the cryptography process section 306 of therecording and reproducing device 300 decrypts the block key Kblc usingthe session key Kses.

[0741] Then at step S242, the block key Kblc decrypted at step S257 isused to decrypt the block data. Furthermore, at step S243, the content(program or data) is executed and reproduced. The processing from stepsS217 to S243 is repeated for all the blocks. When it is determined atstep S244 that all the blocks have been read out, the reproductionprocess is ended.

[0742] The process for reproducing a content of the format type 3 hasbeen described. The format type 3 is similar to the format type 2 inthat the process for verifying the total integrity check value isomitted, but provides a processing configuration with a higher securitylevel due to the inclusion of the process for exchanging the block key.

[0743] (11) Process Executed by Content Provider to Generate IntegrityCheck Value (ICV)

[0744] In the above described embodiments, the verification processeswith the various integrity check values ICV are executed duringdownloading or reproduction of a content. Aspects of the process forgenerating the integrity check values ICV and the verification processwill be described below.

[0745] First, each of the integrity check value explained in theembodiments will be described in brief. The following integrity checkvalues ICV are used in the data processing apparatus according to thepresent invention.

[0746] Integrity check value A, ICVa: integrity check value forverifying that the content ID and usage policy in the content data havenot been tampered.

[0747] Integrity check value B, ICVb: integrity check value forverifying that the block information table key Kbit, the content keyKcon, and the block information table have not been tampered.

[0748] Content integrity check value ICVi: integrity check value forverifying that each content block of the content has not been tampered.

[0749] Total integrity check value ICVt: integrity check value forverifying that the integrity check value ICVa, the integrity check valueICVb, and all the integrity check values for the content blocks have notbeen tampered.

[0750] Integrity check value ICVdev unique to the recording andreproducing device: integrity check value that is replaced with thetotal integrity check value ICVt if the localization flag is set to 1,that is, the content can be used only by a particular recording andreproducing device and that is generated as an integrity check value forthe previously described integrity check value A: ICVa, integrity checkvalue B: ICVb, and integrity check value ICVi contained in each block ofthe content to be checked.

[0751] Depending on the format, not the check value for each contentblock but the content itself is checked by the integrity check valuesICVt and ICVdev.

[0752] Each of the above integrity check value is used in the dataprocessing apparatus according to the present invention. Of theseintegrity check values, the integrity check values A and B, the totalintegrity check value, and the content integrity check value aregenerated by a content provider for providing content data or a contentmanager based on data to be verified, as shown, for example, in FIGS. 32to 35 and 6 and are stored in the data together with the content beforebeing provided to a user of the recording and reproducing device 300.When downloading or reproducing the content to or from the recordingdevice, the user of the recording and reproducing device, that is, thecontent user generates verifying ICVs based on each data to be verified,to compare them with the stored ICVs. Additionally, the integrity checkvalue ICVdev unique to the reproducing device is replaced with the totalintegrity check value ICVt and then stored in the recording device if itis shown that the content can be used only by this recording andreproducing device.

[0753] In the above described embodiments, the processes for generatingthe integrity check values are principally based on the DES-CBC. Thepresent invention, however, is not limited to the above described methodbut includes various ICV-generating and verifying process aspects. Inparticular, for the relationship between the content provider or managerand the content user, the following various ICV-generating and-verifying process configurations are possible.

[0754] FIGS. 46 to 48 are views useful in explaining a generationprocess executed by a generator of the integrity check value ICV and averification process executed by a verifier.

[0755]FIG. 46 shows a configuration wherein, for example, an ICVgenerator who is a content provider or manager executes the process forgenerating the ICV based on the DES-CBC as described in the aboveembodiments and then provides the generated ICV to a recording andreproducing device user, that is, a verifier together with the content.In this case, for the verification process, the recording andreproducing device user, that is, the verifier requires, for example,the keys stored in the internal memory 307 shown in FIG. 18, forgenerating the corresponding integrity check values. The verifier(recording and reproducing device user) who is the content user uses theintegrity-check-value-generating key stored in the internal memory 307to apply the DES-CBC to data to be verified in order to generate theintegrity check values and then compares these values with storedintegrity check values. In this case, eachintegrity-check-value-generating key is configured so as to be secretlyshared by the ICV creator and the verifier.

[0756]FIG. 47 shows a configuration wherein the ICV creator who is thecontent provider or manager generates ICVs using a digital signature ofa public key cryptosystem and then provides the generated ICVs to thecontent user, that is, the verifier together with the content andwherein the content user, that is, the verifier stores the public key ofthe ICV creator and uses this key to verify the ICVs. In this case, thepublic key of the ICV creator which is held by the content user(recording and reproducing device user), that is, the verifier need notbe secret, resulting in easier management. This aspect is thus suitablefor ICV generation and management executed at a high security managementlevel, for example, that executed in one entity.

[0757] In FIG. 48, the ICV creator who is the content provider ormanager generates ICVs using a digital signature of a public keycryptosystem, then provides the generated ICVs to the content user, thatis, the verifier together with the content, further stores a public keyused by the verifier for verification, in a public key certificate (see,for example, FIG. 14), and then provides this key to the recording andreproducing device user, that is, the verifier. With a plurality of ICVcreators, each creator has a key managing center create data (a publickey certificate) for certifying the validity of the public key.

[0758] The content user who is the ICV verifier has a public key of thekey managing center. The verifier verifies the public key certificateusing the public key of the key managing center, and takes out thepublic key of the ICV creator stored in the public key certificate ifits validity has been ascertained. The verifier further verifies theICVs using the taken-out public key of the ICV creator.

[0759] This method is an aspect useful if a plurality of ICV creatorsare present and if a center for managing these creators has anestablished management system.

[0760] (12) Configuration for Generating Cryptography Process Keys Basedon Master Keys

[0761] A configuration for generating various cryptography process keysbased on the master keys, which configuration is characteristic of thepresent data processing system, will be described below.

[0762] As previously described with reference to FIG. 18, the internalmemory of the recording and reproducing device 300 in the present dataprocessing apparatus stores the various master keys, each of which isused, for example, to generate the authentication key Kate (see Equation3) or the distribution key Kdis (see Equation 4).

[0763] When cryptography communication, mutual authentication, MACgeneration, verification, or the like is carried out between twoentities, that is, the content provider and the content provider, or therecording and reproducing device 300 and the recording device 400 in thepresent data processing apparatus, these entities conventionally holdsecret information common to them, for example, key information.Additionally, when the above process is carried out between one and manyentities, for example, one content provider and many content users, orone recording and reproducing device and many recording media, theseentities conventionally store and hold secret information common to allthe entities, that is, secret information common to many content usersor many recording media, or one content provider individually managesand uses secret information (ex. key) for each of many content users.

[0764] With the one-to-many relationship as described above, however,the configuration owning secret information (key) shared by all theentities is disadvantageous in that leakage of the secret from oneentity affects all the other entities using the same secret information(ex. key). In addition, when one manager, for example, a contentprovider individually manages and uses secret information for eachcontent user, a list is required which serves to identify all the usersand which associates this identification data with unique secretinformation (ex. keys), thereby advantageously increasing listmaintaining and managing burdens in proportion to the number of users.

[0765] The data processing apparatus according to the present inventionhas solved such a conventional problem with the sharing of secretinformation between entities using a configuration for holding themaster keys and generating various individual keys therefrom. Thisconfiguration will be described below.

[0766] In the data processing apparatus according to the presentinvention, if different individual keys are required for variouscryptography processes, authentication processes, and the like betweenrecording devices, media storing contents, or recording and reproducingdevices, these individual keys are generated using individualinformation such as identifier data (ID) unique to the devices or mediaand an individual-key generating method previously determined in therecording and reproducing device 300. With this configuration, if anyindividual key generated should be identified, damage to the entiresystem can be precluded by preventing the corresponding master key fromleaking. In addition, the configuration for generating the keys from themaster keys eliminates the needs for the association list.

[0767] A specific example of configuration will be described withreference to the drawings. FIG. 49 is a view useful in explaining theconfiguration for generating various keys using the various master keysheld by the recording and reproducing device 300. The medium 500 and thecommunication means 600 in FIG. 49 input contents as in the alreadydescribed embodiments. The content is encrypted by the content key Kcon,which is in turn encrypted by the distribution key Kdis.

[0768] For example, if the recording and reproducing device 300 attemptsto take a content out from the medium 500 or the communication means 600and download it to the recording device 400, the recording andreproducing device 300 must obtain the distribution key Kdis that hasencrypted the content key as previously described in FIGS. 2 and 39 to41. Although the key Kdis can be directly obtained from the medium 500or the communication means 600 or the recording and reproducing device300 can obtain and store it in its memory beforehand, the configurationfor distributing such a key to many users may be subjected to leakage,which may affect the entire system, as described above.

[0769] The data processing system according to the present invention isconfigured to generate the distribution key Kdis by applying a masterkey MKdis for the distribution key stored in the memory of the recordingand reproducing device 300 as well as a process based on the content ID,that is, Kdis DES (MKdis, content ID), as shown in the lower part ofFIG. 49. In a content distributing configuration between a contentprovider providing contents from the medium 500 or the communicationmeans 600 and the recording and reproducing device 300, which is acontent user, despite a large number of content providers, thisconfiguration enables advanced security to be maintained without theneed to distribute the individual distribution keys Kdis via the medium,the communication means, or the like or to store them in each recordingand reproducing device 300.

[0770] Next, the generation of the authentication key Kakae will beexplained. In downloading a content from the recording and reproducingdevice 300 to the recording medium 400 as previously described in FIGS.22 and 39 to 41 or causing the recording and reproducing device 300 toexecute and reproduce a content stored in the recording medium 400 asdescribed in FIGS. 42 to 45, the recording and reproducing device 300and the recording medium 400 must execute the mutual authenticationprocess (see FIG. 20).

[0771] As described in FIG. 20, this authentication process requires therecording and reproducing device 300 to have the authentication keyKake. Although the recording and reproducing device 300 can obtain theauthentication key directly from, for example, the recording medium 400or can obtain and store it in its memory beforehand, the configurationfor distributing such a key to many users may be subjected to leakage,which may affect the entire system, as in the above describedconfiguration for the distribution key.

[0772] The data processing system according to the present invention isconfigured to obtain the authentication key Kake by applying a masterkey MKake for the distribution key stored in the memory of the recordingand reproducing device 300 as well as a process based on the recordingdevice ID: IDmem, that is, Kake DES (MKake, IDmem), as shown in thelower part of FIG. 49.

[0773] Further, in downloading a content from the recording andreproducing device 300 to the recording medium 400 as previouslydescribed in FIGS. 22 and 39 to 41 or causing the recording andreproducing device 300 to execute and reproduce a content stored in therecording medium 400 as described in FIG. 28, FIGS. 42 to 45, aconfiguration similar to that for the distribution or authentication keydescribed above can be used for the recording and reproducing devicesignature key Kdev required to generate the integrity check value ICVdevunique to the recording and reproducing device if the content can beused only by a particular recording and reproducing device. In the abovedescribed embodiments, the recording and reproducing device signaturekey Kdev is stored in the internal memory, but if the master key Mkdevfor the recording and reproducing device signature key is stored in thememory whereas the recording and reproducing device signature key Kdevis not stored therein and if the recording and reproducing devicesignature key Kdev is obtained by means of Kdes DES (MKdev, IDdev) basedon the recording and reproducing device identifier: IDdev and the masterkey MKdev for the recording and reproducing device signature key, asrequired, as shown in the lower part of FIG. 49, then it advantageouslybecomes unnecessary for each apparatus to have the recording andreproducing device signature key Kdev.

[0774] In this manner, the data processing apparatus according to thepresent invention is configured to sequentially generate from the masterkeys and each ID, information such as a key which is required for thecryptography information process between two entities such as theprovider and the recording and reproducing device or the recording andreproducing device and the recording device. Consequently, even if thekey information leaks from each entity, the range of damage incurred bythe individual keys is further limited, and it also becomes unnecessaryto manage key lists for the individual entities as described above.

[0775] A plurality of examples of processes relating to thisconfiguration will be explained by showing a flow. FIG. 50 showsexamples of a process executed by the content producer or manager todecrypt a content or the like using a master key and a process executedby a user device, for example, the recording and reproducing device 300in the above described embodiment to decrypt the encrypted data usingthe master key.

[0776] At step S501, a content producer or manager imparts an identifier(content identifier) to a content. At step S502, the content producer ormanager generates a key for encrypting a content or the like based onits owned master key and a content ID. At this step, if the distributionkey Kdis is to be generated, it is generated based on the abovedescribed Kdis=DES (MKdis, medium ID). Then at step S503, the contentproducer or manager uses a key (for example, the distribution key Kdis)to encrypt part or all of the content stored in the medium. The contentproducer supplies the content encrypted through these steps, via themedium such as a DVD, the communication means, or the like.

[0777] On the other hand, at step S504, a user device such as therecording and reproducing device 300 reads the content ID from thecontent data received via the medium such as a DVD, the communicationmeans, or the like. Then at step S505, the user device generates a keyapplied to decryption of the encrypted content based on the read-outmedium ID and its owned master key. If the distribution key Kdis is tobe obtained, this generation process corresponds to, for example, thedistribution key Kdis=DES (MKdis, medium ID). At step S506, the userdevice uses this key to decrypt the content, and at step S507, uses,that is, reproduces the decrypted content or execute the program.

[0778] In this example, as shown in the lower part of FIG. 50, both thecontent producer or manager and the user device have the master key (forexample, the distribution-key-generating master key MKdis) tosequentially generate the distribution key required to encrypt ordecrypt the content based on their owned master key and each ID (mediumID).

[0779] With this system, if the distribution key leaks to a thirdperson, the third person can decrypt that content, but contents storedin other media with different content IDs can be prevented fromdecryption, thereby minimizing the adverse effects of the leakage of onecontent key on the entire system. Additionally, this system does notrequire the user device, that is, the recording and reproducing deviceto hold a key associating list for each medium.

[0780] An example where the content producer or manager holds aplurality of master keys to execute a process depending on a contentdistribution destination with reference to FIG. 52.

[0781] Step S511 executed by the content producer or manager comprisesimparting an identifier (content ID) to the content. Step S512 comprisesselecting one of a plurality of master keys (for example, a plurality ofdistribution-key-generating master keys MKdis) held by the contentproducer or manager. Although described in further detail with referenceto FIG. 52, this selection process comprises setting an applied masterkey beforehand for each of the countries to which content users belong,each apparatus type, or each apparatus version and executing the masterkeys in accordance with the settings.

[0782] Then at step S513, the content producer or manager generates anencryption key based on the master key selected at step S512 and thecontent ID determined at step S511. If, for example, the distributionkey Kdis is to be generated, it is generated based on the abovedescribed Kdis=DES (MKdis, medium ID). Then at step S514, the contentproducer or manager uses a key (for example, the distribution key Kdisi)to encrypt part or all of the content stored in the medium. At stepS515, the content producer distributes the encrypted content via themedium such as a DVD, the communication means, or the like, using adistribution unit comprising the content ID, the master-key-generatinginformation used, and the encrypted content.

[0783] On the other hand, at step S516, for example, the user devicesuch as a recording and reproducing device 300 determines whether or notits holds the master key corresponding the master key ID in the contentdata distributed by the medium such as a DVD or by the communicationmeans. If it does not have the master key corresponding to the masterkey ID in the content data, the distributed content cannot be used bythis user device and the process is ended.

[0784] If the user device has the master key corresponding to the masterkey ID in the content data, then at step S517, it reads the content IDout from the content data received via the medium, the communicationmeans, or the like. Then at step S518, the user device generates a keyapplied to decryption of the encrypted content based on the read-outcontent ID and its held master key. This process is a distribution-keyKdisi=DES (Mkdisi, contents ID) if it intends to get a distribution keyKdisi. At step S519 contents are decrypted by means of the key. At stepS520 decrypted contents are used, that is, reproduction or program isperformed.

[0785] In this example, as shown in the lower part of FIG. 51, thecontent producer or manager has a master key set comprising a pluralityof master keys, for example, distribution-key-generating master keysMKdis 1 to n. On the other hand, the user device has one master key, forexample, one distribution-key-generating master key KKdisi so that itcan decrypt the content only when the content producer or manager hasused the key KKdisi for the encryption.

[0786]FIG. 52 shows an example where master keys varying depending onthe country is applied, as a specific example of the aspect shown in theflow in FIG. 51. The content provider has master keys MK1 to n, of whichthe key MK1 is used to generate keys for encrypting contents distributedto user devices for Japan. For example, an encryption key K1 isgenerated from a content ID and the key MK1 and then user to encrypt acontent. The master keys MK1 to n are further set such that the key MK2is used to generate keys for encrypting contents distributed to userdevices for the U.S., and the key MK3 is used to generate keys forencrypting contents distributed to user devices for the EU (Europe).

[0787] On the other hand, for user devices for Japan, specifically,recording and reproducing devices such as PCs or game apparatuses whichare sold in Japan, the master key MK1 is stored in their internalmemories, for user devices for the U.S., the master key MK2 is stored intheir internal memories, and for user devices for the EU, the master keyMK3 is stored in their internal memories.

[0788] With this configuration, the content provider selectively usesone of the master keys MK1 to n depending on user devices that can use acontent, in order to encrypt the content to be distributed to the userdevices. For example, to allow the content to be used only by the userdevices for Japan, the master key K1 generated using the master key MK1is used to encrypt the content. This encrypted content can be decryptedusing the master key MK1 stored in the user devices for Japan, that is,allows a decryption key to be generated, whereas the key K1 cannot beobtained from the master keys MK2 and MK3 stored in the user devices forthe U.S. and EU, respectively, thereby preventing the encrypted contentfrom being decrypted.

[0789] In this manner, the content provider can selectively use aplurality of master keys to set localization for various contents. FIG.52 shows an example where the different master keys are used for thedifferent countries to which the user devices belong, but various useforms are possible; for example, the master key can be switcheddepending on the type of the user device or its version, as describedabove.

[0790] Next, FIG. 53 shows an example of a process where an identifierunique to a medium; that is, a medium ID and a master key are combinedtogether. Here, the medium refers to, for example, DVDs or CDs in whichcontents are stored. The medium ID may be unique to individual media,the titles of contents such as movies, or individual mediummanufacturing lots. In this manner, medium IDs may be assigned invarious manners.

[0791] At step S52, a medium producer or manager determines anidentifier (medium identifier) for a medium. At step S522, the mediumproducer or manager generates a key for encrypting a content stored inthe medium based on its owned master key and a medium ID. At this step,if, for example, the distribution key Kdis is to be generated, it isgenerated based on the above described Kdis=DES (MKdis, medium ID). Thenat step S523, the medium producer or manager uses a key (for example,the distribution key Kdis) to encrypt part or all of the content storedin the medium. The medium producer supplies the medium storing thecontent encrypted through these steps.

[0792] On the other hand, at step S524, a user device such as therecording and reproducing device 300 reads the medium ID from thesupplied medium. Then at step S525, the user device generates a keyapplied to decryption of the encrypted content based on the read-outmedium ID and its owned master key. If the distribution key Kdis is tobe obtained, this generation process corresponds to, for example, thedistribution key Kdis=DES (MKdis, medium ID). At step S526, the userdevice uses this key to decrypt the content, and at step S527, uses,that is, reproduces the decrypted content or execute the program.

[0793] In this example, as shown in the lower part of FIG. 53, both themedium producer or manager and the user device have the master key (forexample, the distribution-key-generating master key MKdis) tosequentially generate the distribution key required to encrypt ordecrypt the content based on their owned master key and each ID (mediumID).

[0794] With this system, if any medium key leaks to a third person, thethird person can decrypt the content in the medium, but contents storedin other media with different medium IDs can be prevented fromdecryption, thereby minimizing the adverse effects of the leakage of onemedium key on the entire system. Additionally, this system does notrequire the user device, that is, the recording and reproducing deviceto hold a key associating list for each medium. Further, the size of acontent encrypted with one medium key is limited to a capacity that canbe stored within that medium, so that there is a slim possibility thatthe content reaches the amount of information required to attack theencrypted text, thereby reducing the possibility of decrypting theencrypted text.

[0795] Next, FIG. 54 shows an example of a process where an identifierunique to the recording and reproducing device, that is, a recording andreproducing device ID and a master key are combined together.

[0796] At step S531, a recording and reproducing device user generates akey for encrypting a content or the like based on a master key and arecording and reproducing device ID stored, for example, in the internalmemory of the recording and reproducing device. If, for example, thecontent key Kcon is to be obtained, this generation process correspondsto Kcon=DES (MKcon, recording and reproducing device ID). Then at stepS532, the user uses a key (form example, the distribution key Kcon) todecrypt the content. At step S533, the user stores the encrypted contentin the recording and reproducing device such as a hard disk.

[0797] On the other hand, when the recording and reproducing device userthat has stored the content requests the stored data to be recovered, asystem manager for managing the recording and reproducing device reads arecording and reproducing device ID from the recording and reproducingdevice. Then at step S535, the system manager generates a key applied torecovery of the encrypted content based on the read-out recording andreproducing device ID and its owned master key. If the content key Kconis to be obtained, this generation process corresponds to, for example,the content key Kcon DES (MKcon, recording and reproducing device ID).At step S536, the user device uses this key to decrypt the content.

[0798] In this example, as shown in the lower part of FIG. 54, both therecording and reproducing device user and the system manager have themaster key (for example, the content-key-generating master key MKcon) tosequentially generate the distribution key required to encrypt ordecrypt the content based on their owned master key and each ID(recording and reproducing device ID).

[0799] With this system, if the content key leaks to a third person, thethird person can decrypt that content, but contents stored in othermedia with different recording and reproducing device IDs can beprevented from decryption, thereby minimizing the adverse effects of theleakage of one content key on the entire system. Additionally, thissystem does not require the system manager or the user device to hold akey associating list for each medium.

[0800]FIG. 55 shows a configuration wherein an authentication key usedfor a mutual authentication process between a slave device, for example,the recording and reproducing device such as a memory card and a hostdevice, for example, the recording and reproducing device is generatedbased on a master key. Although in the previously describedauthentication process (see FIG. 20), the authentication key is storedin the internal memory of the slave device in advance, it can begenerated during the authentication process based on the master key asshown in FIG. 55.

[0801] For example, at step S541, the slave device that is the recordingdevice generates, as an initialization process before starting theauthentication process, the authentication key Kake for use in themutual authentication process based on the master key and slave deviceID stored in the internal memory of the slave device that is therecording device. The authentication key is generated based on Kake=DES(MKake, slave device ID). Then at step S542, the generatedauthentication key is stored in the memory.

[0802] On the other hand, at step S543, the host device such as therecording and reproducing device reads a slave device ID out from theinstalled recording device, that is, the slave device via thecommunication means. Then at step S544, the host device generates aauthentication key applied to a mutual authentication process based onthe read-out slave device ID and its owned authentication-key-generatingmaster key. This generation process corresponds to, for example, theauthentication key Kake=DES (MKake, slave device ID). At step S545, thisauthentication key is used to execute the authentication process.

[0803] In this example, as shown in the lower part of FIG. 55, both theslave device and the master device have the master key, that is, theauthentication-key-generating master key MKake to sequentially generatethe distribution key required for the authentication process based ontheir owned master key and the slave device ID.

[0804] With this system, if the authentication key leaks to a thirdperson, this authentication key is effective only on the correspondingslave device and authentication is not established with other slavedevices, thereby minimizing the adverse effects of the leakage of thekey.

[0805] As described above, the data processing apparatus according tothe present invention is configured so that the information such as thekey which is required for the procedure for the cryptography informationprocess between the two entities such as the content provider and therecording and reproducing device, or the recording and reproducingdevice and the recording device. Thus, even if the key information leaksfrom each entity, the range of damage incurred by the individual keys isfurther limited, and it also becomes unnecessary to manage key lists forthe individual entities as described above.

[0806] (13) Control of Cryptography Intensity in Cryptography Process

[0807] In the above described embodiments, the cryptography processbetween the recording and reproducing device 300 and the recordingdevice 400 is principally described in conjunction with the exampleusing the cryptography process based on the single DES configurationdescribed with reference to FIG. 7. The encryption process methodapplied to the present data processing apparatus is not limited to theabove described Single DES, but any encryption method may be employeddepending on a required security state.

[0808] For example, the Triple DES method configured as shown in thepreviously described FIGS. 8 to 10 is applicable. For example, both thecryptography process section 302 of the recording and reproducing device300 and the cryptography process section 401 of the recording device 400shown in FIG. 3 can be configured so as to execute the Triple DES methodso that a process can be executed which corresponds to the cryptographyprocess based on the Triple DES method described in FIGS. 8 to 10.

[0809] The content provider, however, may give top priority toprocessing speed dependent on the content to use a 64-bit content keyKcon based on the Single DES method, or gives top priority to securityto use a 128- or 192-bit content key Kcon based on the Triple DESmethod. Accordingly, it is not preferable to configure the cryptographyprocess section 302 of the recording and reproducing device 300 and thecryptography process section 401 of the recording device 400 so as toaccommodate only one of the Triple and Single DES methods. Therefore,the cryptography process section 302 of the recording and reproducingdevice 300 and the cryptography process section 401 of the recordingdevice 400 are desirably configured so as to accommodate both the Tripleand Single DES methods.

[0810] However, to configure the cryptography process section 302 of therecording and reproducing device 300 and the cryptography processsection 401 of the recording device 400 so as to execute both the Tripleand Single DES methods, different circuits and logics must be configuredfor these cryptography process sections. For example, to allow therecording device 400 to execute a process corresponding to the TripleDES, a command set for the Triple DES must be stored in the commandregister shown in the above FIG. 29. This may complicate the processsection configured in the recording device 400.

[0811] Thus, for the present data processing apparatus, a configurationis proposed wherein the logic of the cryptography process section 401 ofthe recording device 400 is configured to accommodate the Single DES,while executing a process corresponding to the Triple DES process tostore data (keys, contents, or the like) encrypted based on the TripleDES method in the external memory 402 of the recording device.

[0812] For example, in the example for the data format type 0 shown inFIG. 32, when content data are downloaded from the recording andreproducing device 300 to the recording device 400, the authenticationprocess is executed at step S101 in the previously described FIG. 39showing the flow of downloading data of the format type 0, and thesession key Kses is generated. Further, at step S117, the cryptographyprocess section 302 of the recording and reproducing device 300 encryptsthe content key Kcon with the session key Kses and transmits theencrypted key to the recording device 400 via the communication means.At step S118, the cryptography process section 403 of the recordingdevice 400, which has received the encrypted key, decrypts the contentkey Kcon with the session key Kses, further encrypts it with the storagekey Kstr, and transmits the resulting key to the cryptography processsection 302 of the recording and reproducing device 300. The recordingand reproducing device 300 subsequently forms a data format (step S121)and transmits formatted data to the recording device 400, and therecording device 400 stores the received data in the external memory402.

[0813] If the cryptography process executed by the cryptography processsection 401 of the recording device 400 between steps S117 and S118 ofthe above process is configured to selectively execute either the Singleor Triple DES method, the cryptography process section works whether thecontent provider provides content data using the content key Kcon inaccordance with the Triple DES or the Single DES.

[0814]FIG. 56 shows a flow useful in explaining a configuration forexecuting the cryptography process method in accordance with the TripleDES method, using both the cryptography process section 302 of therecording and reproducing device 300 and the cryptography processsection 401 of the recording device 400. FIG. 56 shows an example of aprocess for encrypting the content key Kcon with the storage key Kstrwhich process is executed in downloading content data from the recordingand reproducing device 300 to the recording device 400, wherein thecontent key Kcon is based on the Triple DES method. Here, the example ofthe process for the content key Kcon is shown, but other keys or otherdata such as contents can be similarly processed.

[0815] The Triple DES method uses two or three keys in such a mannerthat a 64-bit key is used for the Single DES, while a 128- or 192 bitkey is used for the Triple DES, as previously described in FIGS. 8 to10. These three content keys Kcon are referred to as Kcon1, Kcon2, and(Kcon3). The Kcon3 is shown in the parentheses because it may not beused.

[0816] The process in FIG. 56 will be explained. At step S301, themutual authentication process is carried out between the recording andreproducing device 300 and the recording device 400. This mutualauthentication process step is executed during the process in thepreviously described FIG. 20. During this authentication process, thesession key Kses is generated.

[0817] Once the authentication process at step S301 has been completed,the integrity check values ICV including the integrity check values Aand B, the content integrity check value, and the total integrity checkvalue are collated.

[0818] When all the check values (ICV) have been collated and it hasbeen determined that no data have been tampered, the process proceeds tostep S303 where the control section 306 of the recording and reproducingdevice cryptography process section 302 of the recording and reproducingdevice 300 uses the encryption/decryption section 308 of the recordingand reproducing device cryptography process section 302 as well as thepreviously obtained or generated distribution key Kdis, to decrypt thecontent Kcon stored in the header section of the data obtained from themedium 500 or received from the communication means 600 via thecommunication section 305. The content key in this case is a triple DEStype key, such as content keys Kcon1, Kcon2, and (Kcon3).

[0819] Then at step S304, the control section 306 of the recording andreproducing device cryptography process section 302 causes theencryption/decryption section 308 of the recording and reproducingdevice cryptography process section 302 to encrypt only the content keyKcon1 of the content keys Kcon1, Kcon2, and (Kcon3) decrypted at stepS303, using the session key Kses made sharable during the mutualauthentication.

[0820] The control section 301 of the recording and reproducing device300 reads data containing the content key Kcon1 encrypted with thesession key Kses, out from the recording and reproducing devicecryptography process section 302 of the recording and reproducing device300. The control section 301 then transmits these data to the recordingdevice 400 via the recording device controller 303 of the recording andreproducing device 300.

[0821] Then at step S305, on receiving the content key Kcon1 transmittedfrom the recording and reproducing device 300, the recording device 400causes the encryption/decryption section 406 of the recording devicecryptography process section 401 to decrypt the received content keyKcon1 using the session key Kses made sharable during the mutualauthentication. Further at step S306, the recording device 400 causesthe encryption/decryption section 406 to reencrypt the decrypted contentkey with the storage key Kstr unique to the recording device which isstored in the internal memory 405 of the recording device cryptographyprocess, and then transmits the reencrypted key to the recording andreproducing device 300 via the communication section 404., Then at stepS307, the control section 306 of the recording and reproducing devicecryptography process section 302 causes the encryption/decryptionsection 308 of the recording and reproducing device cryptography processsection 302 to encrypt only the content key Kcon2 of the content keysKcon1, Kcon2, and (Kcon3) decrypted at step S303, using the session keyKses made sharable during the mutual authentication.

[0822] The control section 301 of the recording and reproducing device300 reads data containing the content key Kcon2 encrypted with thesession key Kses, out from the recording and reproducing devicecryptography process section 302 of the recording and reproducing device300. The control section 301 then transmits these data to the recordingdevice 400 via the recording device controller 303 of the recording andreproducing device 300.

[0823] Then at step S308, on receiving the content key Kcon2 transmittedfrom the recording and reproducing device 300, the recording device 400causes the encryption/decryption section 406 of the recording devicecryptography process section 401 to decrypt the received content keyKcon2 using the session key Kses made sharable during the mutualauthentication. Further at step S309, the recording device 400 causesthe encryption/decryption section 406 to reencrypt the decrypted contentkey with the storage key Kstr unique to the recording device which isstored in the internal memory 405 of the recording device cryptographyprocess section 401, and then transmits the reencrypted key to therecording and reproducing device 300 via the communication section 404.

[0824] Then at step S310, the control section 306 of the recording andreproducing device cryptography process section 302 causes theencryption/decryption section 308 of the recording and reproducingdevice cryptography process section 302 to encrypt only the content keyKcon3 of the content keys Kcon1, Kcon2, and (Kcon3) decrypted at stepS303, using the session key Kses made sharable during the mutualauthentication.

[0825] The control section 301 of the recording and reproducing device300 reads data containing the content key Kcon3 encrypted with thesession key Kses, but from the recording and reproducing devicecryptography process section 302 of the recording and reproducing device300. The control section 301 then transmits these data to the recordingdevice 400 via the recording device controller 303 of the recording andreproducing device 300.

[0826] Then at step S311, on receiving the content key Kcon3 transmittedfrom the recording and reproducing device 300, the recording device 400causes the encryption/decryption section 406 of the recording devicecryptography process section 401 to decrypt the received content keyKcon3 using the session key Kses made sharable during the mutualauthentication. Further at step S312, the recording device 400 causesthe encryption/decryption section 406 to reencrypt the decrypted contentkey with the storage key Kstr unique to the recording device which isstored in the internal memory 405 of the recording device cryptographyprocess, and then transmits the reencrypted key to the recording andreproducing device 300 via the communication section 404.

[0827] Then at step S313, the cryptography process section of therecording and reproducing device forms the various data formatsdescribed in FIGS. 32 to 35 and transmits them to the recording device400.

[0828] Finally, at step S314, the recording device 400 stores thereceived formatted data in the external memory 402. These format datacontain the content keys Kcon1, Kcon2, and (Kcon3) encrypted with thestorage key Kstr.

[0829] This process enables the content keys stored in the recordingdevice 400 to be stored as keys based on the Triple DES cryptosystem. Ifonly two content keys Kcon1 and Kcon2 are used, the processing fromsteps S310 to S312 is omitted.

[0830] As described above, the recording device 400 can store the keyswith the Triple DES applied thereto in the memory by repeatingprocessing of the same aspect, that is, the process steps at steps S305and S306 plural times with only the target changed. If the Single DES isapplied to the content keys Kcon, step S305 and S306 may be executed tocarry out the formatting process at step S313 before storing the keys inthe memory. Such a configuration may store commands for executing theprocessing at steps S305 and S306 in the command register in thepreviously described FIG. 29 and execute this processing one to threetimes depending on the aspect of the key, that is, whether the key isbased on the Triple or Single DES method. Accordingly, the processesbased on both the Triple and Single DES methods can be executed withoutcontaining the Triple DES process method in the process logic of therecording device 400. In this regard, the cryptosystem may be recordedin the usage policy in the header section of the content data so as tobe determined by referencing the usage policy.

[0831] (14) Program Activation Process Based on Activation Priority inUsage Policy in Content Data

[0832] As understood from the content data configurations in thepreviously described FIGS. 4 to 6, the usage policy stored in the headersection of the content data used in the present data processingapparatus contains the content type and the activation priority. With aplurality of accessible content data recorded in various recording mediasuch as the recording device 400, a DVD, a CD, a hard disk, or a gamecartridge, the recording and reproducing device 300 in the present dataprocessing apparatus determines the order in which these contents areactivated, in accordance with the activation priority.

[0833] The recording and reproducing device 300 executes the mutualauthentication with various recording devices such as each recordingdevice DVD device, CD drive device, and hard disk drive device and thenexecutes the program in the content data with the top priority inaccordance with the priority in the content data. The “ProgramActivation Process Based on Activation Priority in Usage Policy inContent Data” will be explained below.

[0834] The above description of the present data processing apparatusfocuses on the process executed if the recording and reproducing device300 reproduces and executes content data from the one recording device400. However, the recording and reproducing device 300 is generallyconfigured so as to access, in addition to the recording device 400,aDVD, a CD, and a hard disk via the read section 304 as well as recordingmedia such as a memory card and a game cartridge which are connected viathe PIO111 or SIO112. In FIG. 2, only one read section 304 is describedin order to avoid complicating the drawing, the recording andreproducing device 300 can have different recording media, for example,a DVD, a CD, a floppy disk, and a hard disk installed therein inparallel.

[0835] The recording and reproducing device 300 can access a pluralityof recording media, each of which store content data. Content datasupplied by an external content provider such as a CD are stored in themedium in the data configuration shown in the previously described FIG.4 or in each recording medium such as a memory card in the content dataconfiguration shown in FIG. 26 or 27 if the data are taken out from themedium or downloaded via the communication means. Furthermore,specifically, the content data are stored on the medium and therecording device in different formats depending on the format typethereof, as shown in FIGS. 32 to 35. In either case, the usage policy inthe header of the content data contains the content type and theactivation priority.

[0836] A process executed by the recording and reproducing device toactivate a content if a plurality of content data are accessible will beexplained in accordance with the flow.

[0837]FIG. 57 shows a process flow showing an example (1) of a processwhere there a plurality of contents that can be activated. At step S611,recording devices that are accessible to the recording and reproducingdevice 300 are authenticated. The accessible recording devices include amemory card, a DVD device, a CD drive, a hard disc device, and a gamecartridge or the like which is connected, for example, via the PIO111 orSIO112. Each recording device is authenticated under the control of thecontrol section 301 shown in FIG. 2, for example, in accordance with theprocedure previously explained in FIG. 20.

[0838] Next, at step S612, programs that can be activated are detectedfrom the content data stored in the memory of the successfullyauthenticated recording device. Specifically, this is executed as aprocess of extracting contents for which the content type contained inthe usage policy of the content data indicates a program.

[0839] Then at step S613, the priority of the program that can beactivated and which has been extracted at step S612 is determined.Specifically, this corresponds to a process of comparing the prioritiescontained in the usage policies in the headers of the plurality ofcontent data that can be activated in step S612, to select the toppriority.

[0840] Then at step S614, the selected program is activated. If theplurality of programs that can be activated have the same priority,default priorities are set for the recording devices so that the contentprogram stored in the device with the top priority is executed.

[0841]FIG. 58 shows an example (2) of a process where identifiers areset for a plurality of recording devices so that the authentication andthe retrieval of a content program are sequentially executed for therecording devices with the identifiers, that is, a process for aplurality of contents that can be activated.

[0842] At step S621, recording devices (i) installed in the recordingand reproducing device 300 are authenticated. A plurality of (n)recording device 400 are sequentially imparted with identifiers 1 to n.

[0843] At step S622, it is determined whether or not the authenticationat step S621 has been successful, and if so, the process proceeds tostep S623 where programs that can be activated are retrieved from therecording media of the recording devices (i). If the authentication hasfailed, the process proceeds to step S627 where it is determined whetheror not there is a new recording device from which a content can beretrieved. Without such a recording device, the process is ended, andotherwise the process advances to step S628 to update the recordingdevice identifier i and repeat step S621 and the subsequentauthentication process steps.

[0844] At step S623, programs that can be activated are detected fromthe content data stored in the recording devices (i). Specifically, thisis executed as a process of extracting contents for which the contenttype contained in the usage policy of the content data indicates aprogram.

[0845] At step S624, it is determined whether or not the contents ofwhich the content type is a program have been extracted. If suchcontents have been extracted, one of the extracted programs which hasthe top priority is selected at step S626, and the selected program isexecuted at step S626.

[0846] If it is determined at step S624 that no content of which thecontent type is a program has been extracted, the process proceeds tostep S627 to determine whether or not there is a new recording devicefrom which a content can be retrieved. Without such a recording device,the process is ended, and otherwise, the process proceeds to step S628to update the recording device identifier i and repeat step S621 and thesubsequent authentication process steps.

[0847]FIG. 59 shows a process flow showing an example of a process for aplurality of contents that can be activated. At step S651, recordingdevices that are accessible to the recording and reproducing device 300are authenticated. Accessible DVD device, CD drive, hard disc device,and game cartridge or the like are authenticated. Each recording deviceis authenticated under the control of the control section 301 shown inFIG. 2, for example, in accordance with the procedure previouslyexplained in FIG. 20.

[0848] Next, at step S652, programs that can be activated are detectedfrom the content data stored in the memory of the successfullyauthenticated recording device. Specifically, this is executed as aprocess of extracting contents for which the content type contained inthe usage policy of the content data indicates a program.

[0849] Then at step S653, information such as the name of the programthat can be activated and which has been extracted at step S652 isdisplayed on a display means. Although the display means is not shown inFIG. 2, AV output data are output to the display means (not shown). Userprovided information such as a program name for each content data isstored in the content ID of the content data so that program informationsuch as a program name for each authenticated content data is output tothe output means via the control section 301 under the control of themain CPU 106 shown in FIG. 2.

[0850] Then at step S654, the main CPU 106 receives the user's programselection input from the input means such as the input interface,controller, mouse, or keyboard shown in FIG. 2 via the interface 110,and at step S655, executes the user selected program in accordance withthe selection input.

[0851] As described above, in the data processing apparatus according tothe present invention, the program activation priority is stored in theusage policy in the header of the content data so that the recording andreproducing device 300 activates programs in accordance with thispriority or the display means displays activated program informationfrom which the user selects a desired program. This configurationeliminates the need for the user to retrieve programs to save the amountof time and labor required for the activation. Additionally, theprograms that can be activated are activated after all the recordingdevices have been authenticated or are shown to be such programs,thereby eliminating the complicatedness of the process such as the needto validate a program after selection.

[0852] (15) Content Configuring and Reproducing (Decompressing) Process

[0853] In the data processing apparatus according to the presentinvention, the recording and reproducing device 300 downloads a contentfrom the medium 500 or the communication means 600 or reproduces datafrom the recording device 400, as described above. The above descriptionfocuses on the processing of encrypted data associated with thedownloading or reproduction of a content.

[0854] The control section 301 of the recording and reproducing device300 in FIG. 3 generally controls the authentication, encryption, anddecryption processes associated with the downloading or reproduction ofcontent data from the device 500 such as a DVD which provides contentdata, the communication means 600, or the recording device.

[0855] Reproducible contents resulting from these processes are, forexample, sound or image data or the like. Decrypted data from thecontrol section 301 are placed under the control of the main CPU shownin FIG. 2 and output to the AV output section depending on the sound orimage data or like. If, however, the content is, for example, sound datathat have been MP3-compressed, an MP3 decoder in the AV output sectionshown in FIG. 2 decrypts and outputs the sound data. In addition, if thecontent data are images that have been MPEG2-compressed, an MP2 decoderin the AV output section decompresses and outputs the image data. Inthis manner, the data contained in the content data may have or have notbeen compressed (encoded), and are output after being processeddepending on the content.

[0856] However, due to various types of compression and decompressionprocess programs, even if the content provider provides compressed data,these data cannot be reproduced without a corresponding decompressionprocess executing program.

[0857] Thus, the present invention discloses a data processing apparatuswherein compressed data and a decryption (decompression) process programtherefor are stored in a data content or link information for thecompressed data and the decryption (decompression) process programtherefor is stored as header information in the content data.

[0858]FIG. 60 is a view obtained by simplifying elements from thegeneral view of data processing shown in FIG. 2 which relate to thisconfiguration. The recording and reproducing device 300 receives variouscontents from the device 500 such as a DVD or a CD, the communicationmeans 600, or the recording device 400 such as a memory card whichstores contents. These contents include various data such as sound data,still images, animated image data, and program data which have or havenot been encrypted or compressed.

[0859] If the received content has been encrypted, the decryptionprocess is executed using a method such as that described above andbased on the control of the control section 301 and the cryptographyprocess by the cryptography process section 302. The decrypted data aretransferred to the AV process section 109 under the control of the CPU106, where the data are stored in a memory 3090 of the AV processsection 109. Then, a content analysis section 3091 analyzes theconfiguration of the content. If, for example, a data decompressingprogram is stored in the content, it is stored in a program storagesection 3093. If, the content contains sound or image data or the like,these data are stored in a data storage section 3092. A decompressionprocess section 3094 uses a decompression process program such as MP3which is stored in the program storage section, to decompress compresseddata stored in the data storage section 3092. The data are then outputto speakers 3001 or a monitor 3002.

[0860] Next, some examples of configurations of data received by the AVprocess section 109 via the control section 301 and of relevantprocesses will be explained. Here, sound data will be shown as anexample of a content, and a content with the MP3 applied thereto will bedescribed as a representative compression program. This configuration,however, is applicable to image data as well as sound data, and not onlythe MP3 decompression process program but also other various suchprograms for MPEG2 or MPEG4 can be applied thereto.

[0861]FIG. 61 shows an example of the configuration of a content. Thisfigure shows music data 6102 compressed by means of the MP3 and a MP3decryption (decompression) process program 6101, which are integratedtogether into one content. Such contents are each stored in the medium500 or the recording device 400 and distributed from the communicationmeans 600, as a single content. If these contents have been encrypted aspreviously described, the recording and reproducing device 300 uses thecryptography process section 303 to decrypt the content and thentransfers it to the AV process section 109.

[0862] The content analysis section 3091 of the AV process section 109analyzes the received content, takes a sound data decompression program(MP3 decoder) section out from the content, comprising a sound datadecompression program (MP3 decoder) section and a compressed sound datasection, and stores it in the program storage section 3093 while storingthe compressed sound data in the data storage section 3092. The contentanalysis section 3091 may receive information such as a content name orcontent configuration information in addition to the content, or analyzethe content based on identification data such as a data name or otherdata such as a data length or a data configuration which are allcontained in the content. Then, a compression and decompression processsection 3094 decompresses the MP3-compressed sound data stored in thedata storage section 3092 in accordance with the sound datadecompression program (MP3 decoder) stored in the program storagesection 3093. The AV process section 109 then outputs the decompressedsound data to the speakers 3001.

[0863]FIG. 62 shows a flow showing an example of a process forreproducing data of the content configuration in FIG. 61. At step S671,a data name stored in the memory 3090 of the AV process section 109, forexample, information such as the title of music present if the contentis sound data is taken out from the information received separately fromthe content or from data in the content, and is then displayed on themonitor 3002. At step S672, the user's selection is received from one ofthe various input means such as the switches and the keyboard via theinput interface 110, and a reproduction process command based on userinput data is then output to the AV process section 109 under thecontrol of the CPU 106. At step S673, the AV process section 109 extractand decompress data selected by the user.

[0864] Next, FIG. 63 shows an example of a configuration wherein acontent contains either the compressed sound data or the decompressionprocess program and also contains content information indicating whatthe content contains, as header information for each content.

[0865] As shown in FIG. 63, if the content is a program 6202, thecontent contains as header information 6201 content identificationinformation indicating that this is a program and that the type ofprogram is to be MP3-decompressed. On the other hand, if sound data 6204are contained as a content, the content information in the header 6203indicates that the data have been MP3-compressed. This headerinformation can be configured by selecting only information required forreproduction from the data contained in the usage policy (see FIG. 5) inthe above described content data configuration shown, for example, inFIG. 4 and adding this information to the content transferred to the AVprocess section 109. Specifically, identification values for usagepolicy data required for the cryptography process section 302 and fordata required for the AV process section 109 during the reproductionprocess are added to each constituent data of the “usage policy” shownin FIG. 5, and only data indicating that these identification values arerequired for the AV process section 109 are extracted as headerinformation.

[0866] On receiving each content shown in FIG. 63, the content analysissection 3091 of the AV process section 109 stores, in accordance withthe header information, a program content in the program storage section3093 if the content is a program or in the data storage section 3092 ifthe content is data. Thereafter, the compression and decompressionsection 3094 takes the data out from the data storage section anddecompresses them in accordance with the MP3 program stored in theprogram storage section 3093 before outputting the decompressed data. Ifthe program storage section 3093 has the same program already storedtherein, the program storage process may be omitted.

[0867]FIG. 64 shows a flow showing an example of process for reproducingdata of the content configuration in FIG. 63. At step S675, a data namestored in the memory 3090 of the AV process section 109, for example,information such as the title of music present if the content is sounddata is taken out from the information received separately from thecontent or from the header in the content, and is then displayed on themonitor 3002. At step S676, the user's selection is received from one ofthe various input means such as the switches and the keyboard via theinput interface 110.

[0868] Then at step S677, a data reproducing program (for example, theMP3) corresponding to the user selection is retrieved. The maximum rangeof this program retrieval is preferably set as the possible access rangeof the recording and reproducing device 300, and for example, the media500, communication means 600, and recording device 400 shown in FIG. 60are included in the retrieval range.

[0869] Only the content passed to the AV process section 109 is the datasection, while the program content may be stored in another recordingmedium in the recording and reproducing device 300 or provided by thecontent provider via the medium such as a DVD or a CD. Accordingly, theretrieval range is set as the possible access range of the recording andreproducing device 300. When a reproduction program is found as a resultof the retrieval, a reproduction process command based on the user inputdata is output to the AV process section 109 under the control of theCPU 106. At step S679, the AV process section 109 extracts anddecompress data depending on the user's selection. In anotherembodiment, the program retrieval is executed before step S675 so thatonly the data in which the program has been detected are displayed atstep S675.

[0870] Next, FIG. 65 shows an example of a configuration wherein acontent contains compressed sound data 6303 and decompressed processprogram 6302 and further contains a content reproduction priority asheader information 6301 therefor. This is an example of the abovecontent configuration in FIG. 61 with the reproduction priority addedthereto as header information. As in the above described section “(14)Program Activating Process Based on Activation Priority in Usage Policyin Content Data”, the order of reproduction is determined based on areproduction priority set among contents received by the AV processsection 109.

[0871]FIG. 66 shows a flow showing an example of a process forreproducing data of the content configuration in FIG. 65. At step S681,data stored in the memory 3090 of the AV process section 109, that is,data information for data to be reproduced is set in a retrieval list.The retrieval list is set using some areas of the memory in the AVprocess section 109. Then at step S682, the content analysis section3091 of the AV process section 109 selects data of top priority, and atstep S683, reproduces the selected data.

[0872] Next, FIG. 67 shows an example of a configuration wherein acontent comprises a combination of header information and program data6402 or header information 6403 and compressed data 6404 and wherein areproduction priority is added only to the header 6403 of the datacontent.

[0873]FIG. 68 shows a flow showing an example of a process forreproducing data of the content configuration in FIG. 67. At step S691,data stored in the memory 3090 of the AV process section 109, that is,data information for data to be reproduced is set in a retrieval list.The retrieval list is set using some areas of the memory in the AVprocess section 109. Then at step S692, the content analysis section3091 of the AV process section 109 selects data of top priority.

[0874] Then at step S693, a data reproducing program (for example, theMP3) corresponding to the user selection is retrieved. As in the processin the flow in FIG. 64, the maximum range of this program retrieval ispreferably set as the possible access range of the recording andreproducing device 300, and for example, the media 500, communicationmeans 600, and recording device 400 shown in FIG. 60 are included in theretrieval range.

[0875] When a reproduction program is found as a result of the retrieval(Yes at step S694), the selected data are decompressed and reproducedusing the program obtained as a result of the retrieval.

[0876] On the other hand, if no program is found as a result of theretrieval (Yes at step S694), the process proceeds to step S696 todelete those of the remaining data contained in the retrieval list setat step S691 that must be reproduced using the same program. This isbecause it is apparent that a new attempt to retrieve a reproductionprogram from these data fails. Furthermore, when it is determinedwhether or not the retrieval list is empty and if the list is determinednot to be empty, the process returns to step S692 to extract data of thenext highest priority to execute the program retrieving process.

[0877] Thus, according to this configuration, if the compressed contentis constructed with its decryption (decompression) program or comprisesonly data obtained by compressing the content or only the decompressionprocess program, since it has the header information indicating whatcompressed data the content is or what process the content executes, theprocess section (for example, the AV process section) receiving thecontent uses the decompression process program attached to thecompressed data in order to execute the decompression and reproductionprocess or retrieves the decompression and reproduction program based onthe header information in the compressed data to execute thedecompression and reproduction process in accordance with the programobtained as a result of the retrieval. This eliminates the needs forprocesses executed by the user such as the selection and retrieval ofthe data decompressing program to reduce burdens on the user, therebyenabling efficient data reproduction. Moreover, the configuration havingthe reproduction priority in the header enables the reproduction orderto be automatically set to allow the user to omit the operation ofsetting the reproduction order.

[0878] In the above described embodiments, the MP3 is taken as anexample of a decompression process program for compressed sound datacontents and sound compressed data, but this configuration is alsoapplicable to contents containing compressed data or a decompressionprocess program for compressed image data and provides similar effectsin this case.

[0879] (16) Generation of Save Data and Storage and Reproduction of theSame in and from Recording Device

[0880] If, for example, the content executed in the recording andreproducing device 300 is a game program or the like and if the gameprogram is to be resumed a predetermined period of time aftersuspension, the state of the game and the like at the time of thesuspension are saved, that is, stored in the recording device so as tobe read out on resumption to enable the game to be continued.

[0881] In conventional recording and reproducing devices for gameapparatuses, personal computers, or the like, a save data preservationconfiguration is provided with such a configuration as to preserve savedata in a recording medium such as a memory card, a floppy disk, a gamecartridge, or a hard disk which can be built into the recording andreproducing device or externally attached thereto. In particular,however, these recording and reproducing devices have no configurationfor maintaining the security of the save data and carry out the saveprocess using, for example, specifications common to a game applicationprogram.

[0882] Thus, for example, save data saved using a recording andreproducing device A may be used or rewritten by another game program;little attention has been paid to the security of the save data.

[0883] The data processing apparatus according to the present inventionprovides a configuration that can maintain the security of save data.For example, save data for a certain game program are encrypted based oninformation used only by this game program before being stored in therecording device. Alternatively, the save data are encrypted based oninformation unique to the recording and reproducing device before beingstored in the recording device. These methods enables the usage of thesave data to be limited to particular apparatuses or programs tomaintain the security of the data. “Generation of Save Data and Storageand Reproduction of the Same in and from Recording Device” in thepresent data processing apparatus will be explained below.

[0884]FIG. 69 is a block diagram useful in explaining a save datastorage process in the present data processing apparatus. A content fromthe medium 500 such as a DVD or CD or the communication means 600 isprovided to the recording and reproducing device 300. The providedcontent has been encrypted with the content key Kcon, which is a keyunique to the content as described above, and the recording andreproducing device 300 obtains the content key in accordance with theprocess described in the above described section “(7) Process forDownloading from Recording and Reproducing Device to Recording device”(see FIG. 22), to decrypt the encrypted content and then stores it inthe recording device 400. The following description is directed to aprocess executed by the recording and reproducing device 300 to decrypta content program from the medium or the communication means, reproduceand execute this program, and then store the obtained save data in oneof the various recording devices 400A, 400B, and 400B such as externalor built-in memory card and hard disk for reproduction, or to download acontent in the recording device 400A, reproduce and execute the contentfrom the recording device 400A, and store the resulting save data in aprocessing and recording device 400 for storing the save data in any oneof the various recording devices 400A, 400B, and 400B such as externalor built-in memory card and hard disk for reproduction and reproducingthe save data.

[0885] The recording and reproducing device 300 has the recording andreproducing device identifier IDdev, the system signature key Ksys,which is a signature key shared throughout the system, the recording andreproducing device signature key Kdev, which is unique to individualrecording and reproducing devices, and the master keys for generatingvarious individual keys, as previously described. The master keys areused to generate, for example, the distribution key Kdis or theauthentication key Kake, as described in detail in “(12) Configurationfor Generating Cryptography Process Keys Based on Master Keys”. Here,the type of the master key is not particularly limited but a keyrepresenting the master keys of the recording and reproducing device 300is denoted by MKx. FIG. 69 shows an example of the cryptography key Ksavfor save data in the lower part thereof. The save data cryptography keyKsav is used for the encryption process executed to store save data inone of the various recording device 400A to C and for the decryptionprocess executed to reproduce these data therefrom. The processes forstoring and reproducing save data will be explained with reference toFIG. 70 and subsequent figures.

[0886]FIG. 70 is a flow chart of a process of storing save data in oneof the recording device 400A to C using either the content unique key orthe system common key. The process in each flow is executed by therecording and reproducing device 300, and the recording device 400storing the save data in each flow may be any of the external recordingdevices 400A to C and is not limited to a particular one.

[0887] At step S701, the recording and reproducing device 300 reads outthe content ID, for example, the game ID. This ID is the data containedin the identification information in the content data shown in thepreviously described FIGS. 4, 26, 27, and 32 to 35. On receiving acommand for storage of save data via the interface 110 shown in FIG. 2,the main CPU 106 commands the control section 301 to read the contentID.

[0888] The control section 301 takes the identification information outfrom the header in the content data via the read section if theexecution program is a content from a DVD, a CD-ROM, or the like whichis executed via the read section 304, or takes it out via the recordingdevice controller 303 if the execution program is a content stored inthe recording device 400. If the recording and reproducing device 300 isexecuting the content program and the content ID has already been storedin a RAM or anther accessible recording medium in the recording andreproducing device, the identification information contained in theloaded data may be used without executing a new read process.

[0889] Then at step S702, the process is changed depending on whether ornot the program is to be localized. The program localization is used toset whether or not a limitation is added which allows save data to beused only by this program; to allow the save data to be used only bythis program, “Program Localization” is set to “Yes”, and to prevent theusage of the data from being limited to this program, “ProgramLocalization” is set to “No”. This may be arbitrarily set by the user ormay be set and stored in the content program by the content producer,and the set localization is stored in one of the recording devices400A.to C of FIG. 69 as a data managing file.

[0890]FIG. 71 shows an example of the data managing file. The datamanaging file is generated as a table containing entries including datanumbers, content IDs, recording and reproducing device IDs, and programlocalization. The content ID is identification data for a contentprogram for which save data are saved. The recording and reproducingdevice ID indicates a recording and reproducing device that has storedthe save data, and an example thereof is [IDdev] shown in FIG. 69. Theprogram localization is set to “Yes” in order to allow the save data tobe used only by this program or to “No” in order to prevent the usage ofthe data from being limited to this program. The program localizationmay be arbitrarily set by the user using the content program or may beset and stored in the content program by the content producer.

[0891] Referring back to FIG. 70, the flow will be continuouslyexplained. -If the program localization is set to “Yes” at step S702,the process proceeds to step S703. At step 703, the key unique to thecontent, for example, the content key Kcon is read out from the contentdata and used as the save data cryptography key Ksav, or the save datacryptography key Ksav is generated based on the content unique key.

[0892] On the other hand, if the program localization is set to “No” atstep S702, the process proceeds to step S707. At step 707, the systemcommon key stored in the recording and reproducing device 300, forexample, the system signature key Ksys is read out from the internalmemory 307 of the recording and reproducing device 300 and used as thesave data cryptography key Ksav, or the save data cryptography key Ksavis generated based on the system signature key Ksys. Alternatively, acryptography key different from the other keys which has been separatelysaved to the internal memory 307 of the recording and reproducing device300 may be used as the save data cryptography key Ksav.

[0893] Then at step S704, the save data cryptography Ksav selected orgenerated at step S703 or S707 is used to execute a process forencrypting save data. This encryption process is executed by thecryptography process section 302 of FIG. 2 by applying, for example, theabove described DES algorithm.

[0894] The save data encrypted at step S704 are stored in the recordingdevice at step S705. If there are a plurality of recording devices thatcan store save data, as shown in FIG. 69, the user selects in advanceone of the recording devices 400A to C as a save data storagedestination. Further, at step S706, the program localization set at stepS702, that is, “Yes” or “No” for the program localization is written tothe data managing file described with reference to FIG. 71.

[0895] The process for storing the save data is thus completed. At stepS702, save data for which “Yes” is selected for the program localizationat step S702 and which are encrypted at step S703 with the save dataencryption key Ksav generated based on the content unique key areprevented from being decrypted by content programs having no contentunique key information, so that these save data can be used only bycontent programs having the same content key information. In this case,however, the save data encryption key Ksav is not generated based oninformation unique to the recording and reproducing device, so that savedata stored in a removable recording device such as a memory card can bereproduced even from a different recording and reproducing device aslong as they are used together with a corresponding content program.

[0896] Additionally, save data for which “No” is selected for theprogram localization at step S702 and which are encrypted at step S707with the save data encryption key Ksav based on the system common keycan be reproduced and used even if a program with a different contentidentifier is used or if a different recording and reproducing device isused.

[0897]FIG. 72 shows a flow showing a process for reproducing save datastored by means of the save data storage process in FIG. 20.

[0898] At step S711, the recording and reproducing device 300 reads outthe content ID, for example, the game ID. This is a process similar tostep S701 of the previously described in FIG. 70 and which reads outdata contained in the identification information in the content data.

[0899] Then at step S712, the data managing file descried with referenceto FIG. 71 is read out from one of the recording devices 400A to C shownin FIG. 69, and the content ID read out at step S711 and correspondinglyset program localization are extracted therefrom. If the data managingfile has the program localization set to “Yes, the process proceeds tostep S714, whereas if the data managing file has the programlocalization set to “No”, the process advances to step S717.

[0900] At step S714, the key unique to the content, for example, thecontent key Kcon is read out from the content data and used as the savedata decryption key Ksav, or the save data decryption key Ksav isgenerated based on the content unique key. This decryption keygenerating process uses a process algorithm corresponding to theencryption key generating process, that is, a decryption key generatingalgorithm that enables data encrypted based on a certain content uniquekey to be decrypted with a decryption key generated based on the samecontent unique key.

[0901] On the other hand, if it is determined at step S712 that the datamanaging file has the program localization set to “No”, then at stepS717, the system common key stored in the recording and reproducingdevice 300, for example, the system signature key Ksys is read out fromthe internal memory 307 of the recording and reproducing device 300 andused as the save data decryption key Ksav, or the save data decryptionkey Ksav is generated based on the system signature key Ksys.Alternatively, a cryptography key different from the other keys whichhas been separately saved to the internal memory 307 of the recordingand reproducing device 300 may be used as the save data cryptography keyKsav.

[0902] Then at step S715, the save data decryption key Ksav selected orgenerated at step S714 or S717 is used to execute a process fordecrypting save data, and at step S716, the decrypted save data arereproduced and executed in the recording and reproducing device 300.

[0903] The save data reproduction process is thus completed. Asdescribed above, the save data decryption key is generated based on thecontent unique key if the data managing file has the programlocalization set to “Yes”, while the save data decryption key isgenerated based on the system common key if the data managing file hasthe program localization set to “No”. If the program localization is setto “Yes”, a decryption key cannot decrypt the save data without the samecontent ID for the content, thereby enabling the security of the savedata to be improved.

[0904]FIGS. 73 and 74 show save data storage and reproduction flows,respectively, that generate save data encryption and decryption keysusing the content ID.

[0905] In FIG. 73, steps S721 to 722 are similar to steps S701 and S702in FIG. 70, so description thereof is omitted.

[0906] The save data storage flow in FIG. 73, if the programlocalization” is set to “Yes” at step S722, then at step S723, thecontent ID is read out from the content data and used as the save datadecryption key Ksav, or the save data decryption key Ksav is generatedbased on the content ID. For example, the cryptography process section307 of the recording and reproducing device 300 can apply the master keyMKx stored in the internal memory of the recording and reproducingdevice 300, to the content ID read out from the content data, to obtainthe save data decryption key Ksav based, for example, on the DES (MKx,content ID). Alternatively, a cryptography key different from the otherkeys which has been separately saved to the internal memory 307 of therecording and reproducing device 300 may be used as the save datadecryption key Ksav.

[0907] On the other hand, if the program localization is set to “No” atstep S722, then at step S727, the system common key stored in therecording and reproducing device 300, for example, the system signaturekey Ksys is read out from the content data and used as the save dataencryption key Ksav, or the save data encryption key Ksav is generatedbased on the system signature key. Alternatively, a cryptography keydifferent from the other keys which has been separately saved to theinternal memory 307 of the recording and reproducing device 300 may beused as the save data decryption key Ksav.

[0908] The processing at step S724 and the subsequent steps is similarto that at step S704 and the subsequent steps in the process flow in theabove described FIG. 70, and description thereof is thus omitted.

[0909] Further, FIG. 74 shows a process flow for reproducing andexecuting save data stored in the recording device during the save datastorage process flow in FIG. 73, and steps S731 to S733 are similar tothe corresponding processing in the above described FIG. 72 except forstep S734. At step 734, the content ID is read out from the content dataand used as the save data decryption key Ksav, or the save datadecryption key Ksav is generated based on the content ID. Thisdecryption key generating process uses a process algorithm correspondingto the encryption key generating process, that is, a decryption keygenerating algorithm that enables data encrypted based on a certaincontent ID to be decrypted with a decryption key generated based on thesame content ID.

[0910] The subsequent processing, steps S735, S736, and S737 are similarto the corresponding processing in FIG. 72, and description thereof isthus omitted. According to the save data storage and reproductionprocesses in FIGS. 73 and 74, if the program localization is set to“Yes”, the content ID is used to generate the save data encryption anddecryption keys, so that as in the above save data storage andreproduction processes using the content unique key, save data cannot beobtained without matching the corresponding content program, therebyenabling save data to be saved more securely.

[0911]FIGS. 75 and 77 show save data storage (FIG. 75) and reproduction(FIG. 77) flows, respectively, that generate save data encryption anddecryption keys using the recording and reproducing device unique key.

[0912] In FIG. 75, step S741 is similar to step S701 in FIG. 70, sodescription thereof is omitted. At step S742, localization is or is notset for the recording and reproducing device. In case of lacalizing aparticular recording and reproducing device capable of utilizing thesave data, a recording and reproducing device localization, that is,allows the save data to be used only by the recording and reproducingdevice that has generated and stored the data, the recording andreproducing device localization is set to “Yes”, and to allow otherrecording and reproducing device to use the save data, the recording andreproducing device localization is set to “No”. If the recording andreproducing device localization is set to “Yes” at step S742, theprocess proceeds to step S743, and if this localization is set to “No”,the process proceeds to step S747.

[0913] An example of the data managing file is shown in FIG. 76. Thedata managing file is generated as a table containing entries includingdata numbers, content IDs, recording and reproducing device IDs, andrecording and reproducing device localization. The content ID isidentification data for a content program for which save data are saved.The recording and reproducing device ID indicates a recording andreproducing device that has stored the save data, and an example thereofis [IDdev] shown in FIG. 69. The recording and reproducing devicelocalization is set to “Yes” in order to limit the usage of the savedata to a particular recording and reproducing device, that is, allowthe save data to be used only by the recording and reproducing devicethat has generated and stored the data, or to “No” in order to allowother recording and reproducing devices to use the save data. Therecording and reproducing device localization may be arbitrarily set bythe user using the content program or may be set and stored in thecontent program by the content producer.

[0914] In the save data storage process flow in FIG. 75, if therecording and reproducing device localization is set to. “Yes” at stepS742, the recording and reproducing device unique key, for example, therecording and reproducing device signature key Kdev is read out from theinternal memory 307 of the recording and reproducing device 300 data andused as the save data encryption key Ksav, or the save data encryptionkey Ksav is generated based on the recording and reproducing devicesignature key Kdev. Alternatively, a cryptography key different from theother keys which has been separately saved to the internal memory 307 ofthe recording and reproducing device 300 may be used as the save datadecryption key Ksav.

[0915] On the other hand, if the recording and reproducing devicelocalization is set to “No” at step S742, then at step S747, the systemcommon key stored in the recording and reproducing device 300, forexample, the system signature key Ksys is read out from internal memory307 of the recording and reproducing device 300 and used as the savedata encryption key Ksav, or the save data encryption key Ksav isgenerated based on the system signature key. Alternatively, acryptography key different from the other keys which has been separatelysaved to the internal memory 307 of the recording and reproducing device300 may be used as the save data decryption key Ksav.

[0916] The processing at steps S744 and S745 is similar to thecorresponding processing in the process flow in the above described FIG.72, and description thereof is thus omitted.

[0917] At step S746, the content ID, the recording and reproducingdevice ID, and the recording and reproducing device localization“Yes/No” set by the user at step S742 are written to the data managingfile (see FIG. 76).

[0918] Furthermore, FIG. 77 shows a process flow for reproducing andexecuting save data stored in the recording device during the save datastorage process flow in FIG. 75. At step S751, the content ID is readout as in the corresponding processing in the above described FIG. 72.Then at step S752, the recording and reproducing device ID (IDdev)stored in the memory of the recording and reproducing device 300 is readout.

[0919] At step S753, the content ID, the recording and reproducingdevice ID, and the set recording and reproducing device localization“Yes/No” are read out from the data managing file (see FIG. 76). If anyentry in the data managing file which has the same content ID has therecording and reproducing device localization set to “Yes”, the processis ended if the table entry has a recording and reproducing device IDdifferent from that read out at step S752.

[0920] Next, if it is determined at step S754 that the data managingfile has the recording and reproducing device localization set to “Yes”,the process proceeds to step S755, whereas if the data managing file hasthe recording and reproducing device localization set to “No”, theprocess proceeds to step S758.

[0921] At step S755, the recording and reproducing device unique key,for example, the recording and reproducing device signature key Kdev isread out from the internal memory 307 of the recording and reproducingdevice 300 data and used as the save data decryption key Ksav, or thesave data encryption key Ksav is generated based on the recording andreproducing device signature key Kdev. This decryption key generatingprocess uses a process algorithm corresponding to the encryption keygenerating process, that is, a decryption key generating algorithm thatenables data encrypted based on a certain recording and reproducingdevice unique key to be decrypted with a decryption key generated basedon the same recording and reproducing device unique key. Alternatively,a cryptography key different from the other keys which has beenseparately saved to the internal memory 307 of the recording andreproducing device 300 may be used as the save data decryption key Ksav.

[0922] On the other hand, at step S758, the system common key stored inthe recording and reproducing device 300, for example, the systemsignature key Ksys is read out from internal memory 307 of the recordingand reproducing device 300 and used as the save data decryption keyKsav, or the save data decryption key Ksav is generated based on thesystem signature key. Alternatively, a cryptography key different fromthe other keys which has been separately saved to the internal memory307 of the recording and reproducing device 300 may be used as the savedata decryption key Ksav. The processing at the subsequent steps S756and 757 are similar to that at the corresponding steps in the abovedescribed save data reproduction process flow.

[0923] According to the save data storage and reproduction process flowsshown in FIGS. 75 and 77, save data for which the recording andreproducing device localization is set to “Yes” are encrypted anddecrypted using the recording and reproducing device unique key. Thesesave data can thus be decrypted and used only by the recording andreproducing device having the same recording and reproducing deviceunique key, that is, the same recording and reproducing device.

[0924] Next, FIGS. 78 and 79 show process flows for generatingencryption and decryption keys for save data using the recording andreproducing device ID and storing and reproducing the save data.

[0925] In FIG. 78, the recording and reproducing device ID is used toencrypt and store save data in the recording device. Steps S761 to S763are similar to those in the above FIG. 75. At step S764, the recordingand reproducing device ID (IDdev) read out from the recording andreproducing device is used to generate the save data encryption keyKsav. The save data encryption key Ksav is obtained based on the IDdevby, for example, applying the IDdev as the save data encryption key Ksavor applying the master key MKx stored in the internal memory of therecording and reproducing device 300 to obtain the save data encryptionkey Ksav based on the DES (MKx, IDdev). Alternatively, a cryptographykey different from the other keys which has been separately saved to theinternal memory 307 of the recording and reproducing device 300 may beused as the save data decryption key Ksav.

[0926] The subsequent process steps S765 to S768 are similar to thecorresponding processing in the above described FIG. 75, so descriptionthereof is omitted.

[0927]FIG. 79 shows a process flow for reproducing and executing thesave data stored in the recording device by means of the process in FIG.78. Steps S771 to S774 are similar to the corresponding processing inthe above described FIG. 77.

[0928] At step S775, the recording and reproducing device ID (IDdev)read out from the recording and reproducing device is used to generatethe save data decryption key Ksav. The save data encryption key Ksav isobtained based on the IDdev by, for example, applying the IDdev as thiskey Ksav or applying the master key MKx stored in the internal memory ofthe recording and reproducing device 300 to obtain this key Ksav basedon the DES (MKx, IDdev). This decryption key generating process uses aprocess algorithm corresponding to the encryption key generatingprocess, that is, a decryption key generating algorithm that enablesdata encrypted based on a certain recording and reproducing deviceunique key to be decrypted with a decryption key generated based on thesame recording and reproducing device unique key. Alternatively, acryptography key different from the other keys which has been separatelysaved to the internal memory 307 of the recording and reproducing device300 may be used as the save data decryption key Ksav.

[0929] The subsequent process steps S776 to S778 are similar to thecorresponding processing in the above described FIG. 76.

[0930] According to the save data storage and reproduction process flowsshown in FIGS. 78 and 79, save data for which the recording andreproducing device localization is set to “Yes” are encrypted anddecrypted using the recording and reproducing device unique key. Thesesave data can thus be decrypted and used only by the recording andreproducing device having the same recording and reproducing deviceunique key, that is, the same recording and reproducing device.

[0931] Next, save data storage and reproduction processes of executingboth the above described program localization and recording andreproducing device localization will be explained with reference toFIGS. 80 to 82.

[0932]FIG. 80 shows a save data storage process flow. At step S781, thecontent ID is read out from the content data, at step S782, it isdetermined whether the program localization is set, and at step S783, itis determined whether the recording and reproducing device localizationis set.

[0933] If both the program localization and the recording andreproducing device localization are set to “Yes”, then at step S785, thesave data encryption key Ksav is generated based on both the contentunique key (ex. Kcon) and the recording and reproducing device uniquekey (Kdev). The save data encryption key is obtained, for example, basedon Ksav=(Kcon XOR Kdev) or by applying the master key MKx stored in theinternal memory of the recording and reproducing device 300 to obtainthis key based on Ksave=DES (MKx, Kcon XOR Kdev). Alternatively, acryptography key different from the other keys which has been separatelysaved to the internal memory 307 of the recording and reproducing device300 may be used as the save data decryption key Ksav.

[0934] If the program localization is set to “Yes” while the recordingand reproducing device localization is set to “No”, then at step S786,the content unique key (ex. Kcon) is used as the save data encryptionkey Ksav, or the save data encryption key Ksav is generated based on thecontent unique key (ex. Kcon).

[0935] If the program localization is set to “No” while the recordingand reproducing device localization is set to “Yes”, then at step S787,the recording and reproducing device unique key (Kdev) is used as thesave data encryption key Ksav, or the save data encryption key Ksav isgenerated based on the recording and reproducing device unique key(Kdev). Alternatively, a cryptography key different from the other keyswhich has been separately saved to the internal memory 307 of therecording and reproducing device 300 may be used as the save datadecryption key Ksav.

[0936] Further, if both the program localization and the recording andreproducing device localization are set to “No”, then at step S787, thesystem common key, for example, the system signature key Ksys is used asthe save data encryption key Ksav, or the save data encryption key Ksavis generated based on the system signature key Ksys. Alternatively, acryptography key different from the other keys which has been separatelysaved to the internal memory 307 of the recording and reproducing device300 may be used as the save data decryption key Ksav.

[0937] At step S789, the save data encryption key Ksav generated at oneof the steps S785 to S788 is used to encrypt the save data, which arethen stored in the recording device.

[0938] Furthermore, at step S790, the localization set at steps S782 andS783 is stored in the data managing file. The data managing file isconfigured, for example, as shown in FIG. 81 and contains entriesincluding data numbers, content IDs, recording and reproducing deviceIDs, program localization, and recording and reproducing devicelocalization.

[0939]FIGS. 82A and 82B show a process flow for reproducing andexecuting the save data stored in the recording device by means of theprocess in FIG. 80. At step S791, the content ID and the recording andreproducing device ID are read out from the execution program, and atstep S792, the content ID, the recording and reproducing device ID, theprogram localization, and the recording and reproducing devicelocalization are read out from the data managing file shown in FIG. 81.In this case, if the program localization is set to “Yes” and thecontent IDs are not the same or if the recording and reproducing devicelocalization is set to “Yes” and the recording and reproducing deviceIDs are not the same, the process is ended.

[0940] Then at steps S793, S794, and S795, the decryption key generatingprocess is set to one of the four manners at steps 796 to S799 inaccordance with the data recorded in the data managing file.

[0941] If both the program localization and the recording andreproducing device localization are set to “Yes”, then at step S796, thesave data encryption key Ksav is generated based on both the contentunique key (ex. Kcon) and the recording and reproducing device uniquekey (Kdev). Alternatively, a cryptography key different from the otherkeys which has been separately saved to the internal memory 307 of therecording and reproducing device 300 may be used as the save datadecryption key Ksav. If the program localization is set to “Yes” whilethe recording and reproducing device localization is set to “No”, thenat step S797, the content unique key (ex. Kcon) is used as the save dataencryption key Ksav, or the save data encryption key Ksav is generatedbased on the content unique key (ex. Kcon). Alternatively, acryptography key different from the other keys which has been separatelysaved to the internal memory 307 of the recording and reproducing device300 may be used as the save data decryption key Ksav.

[0942] If the program localization is set to “No” while the recordingand reproducing device localization is set to “Yes”, then at step S798,the recording and reproducing device unique key (Kdev) is used as thesave data encryption key Ksav, or the save data encryption key Ksav isgenerated based on the recording and reproducing device unique key(Kdev). Alternatively, a cryptography key different from the other keyswhich has been separately saved to the internal memory 307 of therecording and reproducing device 300 may be used as the save datadecryption key Ksav. Further, if both the program localization and therecording and reproducing device localization are set to “No”, then atstep S799, the system common key, for example, the system signature keyKsys is used as the save data encryption key Ksav, or the save dataencryption key Ksav is generated based on the system signature key Ksys.Alternatively, a cryptography key different from the other keys whichhas been separately saved to the internal memory 307 of the recordingand reproducing device 300 may be used as the save data decryption keyKsav.

[0943] These decryption key generating processes uses a processalgorithm corresponding to the encryption key generating process, thatis, a decryption key generating algorithm that enables data encryptedbased on the same content unique key and recording and reproducingdevice unique key to be decrypted with a decryption key generated basedon the same content unique key and recording and reproducing deviceunique key.

[0944] At step S800, the save data encryption key Ksav generated at oneof the steps S796 to S799 is used to execute the decryption process, andthe decrypted save data are reproduced and executed in the recording andreproducing device 300.

[0945] According to the save data storage and reproduction process flowsshown in FIGS. 80 and 82, save data for which “Yes” is selected for theprogram localization are encrypted and decrypted with the content uniquekey, so that these save data can be decrypted and used only if contentdata having the same content unique key are used. Additionally, savedata for which “Yes” is selected for the recording and reproducingdevice localization are encrypted and decrypted with the recording andreproducing device ID, so that these save data can be decrypted and usedonly by the recording and reproducing device having the same recordingand reproducing device ID, that is, the same recording and reproducingdevice. Consequently, both the content and the recording and reproducingdevice can set the localization to further improve the security of thesave data.

[0946] Although FIGS. 80 and 82 show the configuration for generatingthe save data encryption key and the decryption key using the contentunique key and the recording and reproducing device unique key, thecontent ID and the recording and reproducing device ID may be usedinstead of the content unique key and the recording and reproducingdevice unique key, respectively, to generate the save data encryptionkey and the decryption key based on these IDs.

[0947] Next, a configuration for generating an encryption and adecryption keys based on a password input by the user will be describedwith reference to FIGS. 83 to 85.

[0948]FIG. 83 shows a process flow for generating a save data encryptionkey based on a password input by the user and storing save data in therecording device.

[0949] At step S821, the content ID is read out from the content data asin each of the above described processes. At step S822, the userdetermines whether to set the program localization. The data managingfile set in this configuration has, for example, the configuration shownin FIG. 84.

[0950] As shown in FIG. 84, the data contains data numbers, content IDs,recording and reproducing device IDs, and user set program localization.The “user set program localization” is an entry that determines whetheror not the usage of the program is limited to a particular user.

[0951] If the localization is set to “Yes” at step S822 in the processflow in FIG. 83, then at step S823, the user's password is input. Thepassword is input from an input means such as the keyboard shown in FIG.2.

[0952] The input password is output to the cryptography process section302 under the control of the main CPU 106 and the control section 301,and the processing at step S824 is executed, that is, the save dataencryption key Ksav is generated based on the input user password. Thesave data encryption key Ksav may be generated by, for example, settingthe password itself as this key Ksav or using the master key MKx of therecording and reproducing device to generate this key Ksav based on thesave data encryption key Ksav=DES (MKx, password). Alternatively, aunidirectional function may be applied using the password as an input sothat an encryption key can be generated based on an output from thefunction.

[0953] If the user localization is set to “No” at step S822, then atstep S828, a save data encryption key is generated based on the systemcommon key of the recording and reproducing device 300.

[0954] Further, at step S825, the save data encryption key Ksavgenerated at step S824 or S828 is used to encrypt the save data, and atstep S826, the encrypted save data are stored in the recording device.

[0955] Furthermore, at step S827, the program localization set by theuser at step S822 is written to the data managing file in FIG. 84 so asto be associated with the content ID and the recording and reproducingdevice ID.

[0956]FIG. 85 is a view showing a flow of a process for reproducing thesave data stored by means of the process in FIG. 83. At step S831, thecontent ID is read out from the content data, and at step S832, thecontent ID and the program localization by the user are read out fromthe data managing file shown in FIG. 84.

[0957] At step S833, determination is made based on the data in the datamanaging file. If “the user set program localization” is set to “Yes”,then at step S834, the user is prompted to input a password, and at stepS835, a decryption key is generated based on the input password. Thisdecryption key generating process uses a process algorithm correspondingto the encryption key generating process, that is, a decryption keygenerating algorithm that enables data encrypted based on a certainpassword to be decrypted with a decryption key generated based on thesame password.

[0958] If it is determined at step S833 that the program localization bythe user is set to “No”, then at step S837, the system common key storedin the internal memory of the recording and reproducing device 300 isused to generate the save data decryption key Ksav by using the systemsignature key Ksys. Alternatively, an encryption key different from theother keys which has been separately saved to the internal memory 307 ofthe recording and reproducing device 300 may be used as the save dataencryption key Ksav.

[0959] At step S836, the decryption key Ksav generated at step S835 orS837 is used to decrypt the save data stored in the recording device,and at step S836, the recording and reproducing device reproduces andexecutes the save data.

[0960] According to the save data storage and reproduction process flowsshown in FIGS. 83 and 85, save data for which “Yes” is selected for “theuser set program localization” are encrypted and decrypted with the keybased on the user input password, so that these save data can bedecrypted and used only if the same password is input, thereby improvingthe security of the save data.

[0961] The several aspects of the save data storage and reproductionprocesses have been described, but it is also possible to implement aprocess obtained by merging the above described processes together, forexample, an aspect of generating save data encryption and decryptionkeys using an arbitrary combination of the password, the recording andreproducing device ID, the content ID, and others.

[0962] (17) Configuration for Excluding (Revoking) Invalid Apparatuses

[0963] As described above, the data processing apparatus according tothe present invention improves the security of provided contents andallow such contents to be used only by valid users, using theconfiguration wherein the recording and reproducing device 300 executesprocesses such as authentication and encryption on various content dataprovided by the medium 500 (see FIG. 3) or the communication means 600and then stores the data in the recording device.

[0964] As understood from the above description, the input content isauthenticated, encrypted, and decrypted using the various signaturekeys, master keys, and integrity-check-value-generating keys (see FIG.18) stored in the internal memory 307 configured in the cryptographyprocess section 302 of the recording and reproducing device 300. Theinternal memory 307 storing the key information is desirablycharacterized to restrain external illegal reads in that it comprises asemiconductor chip that essentially rejects external accesses and has amultilayer structure, an internal memory sandwiched between dummy layersof aluminum or the like or arranged in the lowest layer, and a narrowrange of operating voltages and/or frequencies. If, however, these keydata or the like should be read out from the internal memory and copiedto an unauthorized recording and reproducing device, the copied keyinformation may be used for invalid usage of the content.

[0965] A configuration for preventing the invalid use of a content basedon invalid copying of a key will be described below.

[0966]FIG. 86 is a block diagram useful in explaining “(17)Configuration for Excluding Invalid Apparatuses”, which corresponds tothis configuration. The recording and reproducing device 300 is similarto the recording and reproducing device shown in the above describedFIGS. 2 and 3 and has an internal memory and the previously describedvarious key data (FIG. 18) and recording and reproducing device ID.Here, the recording and reproducing device ID, the key data, or the likecopied by a third person is not necessarily stored in the internalmemory 307, but the key data or the like in the recording andreproducing device 300 shown in FIG. 86 are collectively ordistributively stored in a memory section accessible to the cryptographyprocess section 302 (see FIGS. 2 and 3).

[0967] To implement the configuration for excluding invalid apparatuses,a list of invalid recording and reproducing device IDs is stored in theheader section of the content data. As shown in FIG. 86, the contentdata holds a list of revocation list as the list of invalid recordingand reproducing device IDs (IDdev). Further, a list integrity checkvalue ICVrev is used to check the revocation list for tamper. The listof invalid recording and reproducing device IDs (IDdev) contains theidentifiers IDvev of invalid recording and reproducing devicesdetermined by the content provider or manager based on the state ofdistribution of invalid copies or the like. The revocation list may beencrypted with the distribution key Kdis before being stored. Thedecryption process executed by the recording and reproducing device issimilar to, for example, that in the content download process in theabove FIG. 22.

[0968] Here, for better understanding the revocation list is shown assingle data in the content data in FIG. 86 but may be contained, forexample, in the previously described usage policy (for example, seeFIGS. 32 to 35), which is a component of the header section of thecontent data. In this case, the previously described integrity checkvalue ICVa is used to check the usage policy data containing therevocation list for tamper. If the revocation list is contained in theusage policy, the integrity check value A: ICVa is used for the checkand the integrity-check-value-A-generating key Kicva in the recordingand reproducing device is used, thereby eliminating the need to storethe integrity-check-value-generating key Kicv-rev.

[0969] If the revocation list is contained in the content data asindependent data, the revocation list is checked using the listintegrity check value ICVrev for checking the revocation list fortamper, and an intermediate integrity check value is generated from thelist integrity check value ICVrev and another partial integrity checkvalue in the content data and is used to carry out a verificationprocess.

[0970] A method for checking the revocation list using the listintegrity check value ICVrev for checking the revocation list for tamperis similar to the process for generating the integrity check value suchas ICVa or ICVb as explained in the above described FIGS. 23 and 24.That is, the calculation is executed in accordance with the ICVcalculation method described in FIGS. 23 and 24 and other figures, usingas a key the integrity-check-value-generating key Kicv-rev stored in theinternal memory 307 of the recording and reproducing device cryptographyprocess section 302 and using as a message the revocation list containedin the content data. The calculated integrity check value ICV-rev andthe integrity check value: ICV-rev stored in the header are comparedtogether, and if they are equal, it is determined that the list have notbeen tampered.

[0971] The intermediate integrity check value containing the listintegrity check value ICVrev is generated, for example, by using as akey the total-integrity-check-value-generating key Kicvt stored in theinfernal memory 307 of the recording and reproducing device cryptographyprocess section 302 and applying the ICV calculation method described inFIG. 7 and other figures to a message string comprising the integritycheck values A and B and list integrity check value ICVrev in theverified header, with the content integrity check value added theretodepending on the format, as shown in FIG. 25.

[0972] The revocation list and the list integrity check value areprovided to the recording and reproducing device 300 via the medium 500such as a DVD or a CD or the communication means 600 or via therecording device 400 such as a memory card. In this case, the recordingand reproducing device 300 may hold valid key data or illegally copiedID.

[0973]FIGS. 87 and 88 show a flow of a process for excluding invalidrecording and reproducing devices in this configuration. FIG. 87 shows aflow of a process for excluding (revoking) invalid recording andreproducing devices if a content is provided by the medium 500 such as aDVD or a CD or the communication means 600, while FIG. 88 shows a flowof a process for excluding (revoking) invalid recording and reproducingdevices if a content is provided by the recording device 400 such as amemory card.

[0974] First, the process flow in FIG. 87 will be explained. At stepS901, the medium is installed and a request is made for a content, thatis, a reproduction or download process. The process shown in FIG. 87corresponds to a step executed, for example, before installation of themedium such as DVD or the like in the recording device followed by thedownload process. The download process is as previously described withreference to FIG. 22 and is executed as a step before the process flowin FIG. 22 or a process inserted into this process flow.

[0975] If the recording and reproducing device 300 receives a contentvia the communication means such as a network, then at step S911, acommunication session with a content distribution service side isestablished, and the process then proceeds to step S902.

[0976] At step S902, the revocation list (see FIG. 86) is obtained fromthe header section of the content data. In this list obtaining process,if the content is present in the medium, the control section 301 shownin FIG. 3 reads it out therefrom via the read section 304. If thecontent is obtained from the control section, the communication means301 shown in FIG. 3 receives it from the content distributing side viathe communication section 305.

[0977] Next, at step S903, the control section 301 passes the revocationlist obtained from the medium 500 or the communication means 600, to thecryptography process section 302, which is then caused to execute thecheck value generating process. The recording and reproducing device 300internally has the revocation-integrity-check-value-generating keyKicv-rev, calculates the integrity check value ICV-rev′ in accordancewith the ICV calculation method described in FIGS. 23 and 24 and otherfigures, by applying the integrity-check-value-generating key Kicv-revusing the received revocation list as a message, and compares the resultof the calculation with the integrity check value: ICV-rev stored in theheader to determine that the list have not been tampered if they areequal (Yes at step S904). If the values are not equal, the recording andreproducing device determines that the list has been tampered, and theprocess proceeds to step S909 to indicate a process error to end theprocess.

[0978] Then at step S905, the control section 306 of the recording andreproducing device cryptography process section 302 causes theencryption/decryption section 308 of the recording and reproducingdevice cryptography process section 302 to calculate the total integritycheck value ICVt′. The total integrity check value ICVt′ is generated byusing as a key the system signature key Ksys stored in the internalmemory 307 of the recording and reproducing device cryptography processsection 302 and encrypting the intermediate integrity check value basedon the DES, as shown in FIG. 25. The verification process with eachpartial integrity check value such as the ICVa or ICVb is omitted fromthe process flow shown in FIG. 87, but verification with these partialcheck values is carried out depending on the data format as in theprocess flow in the previously described FIGS. 39 to 45.

[0979] Then at step S906, the generated total integrity check valueICVt′ is compared with the integrity check value ICVt in the header, andif they are equal (Yes at step S906), the process advances to step S907.If the values are not equal, the recording and reproducing devicedetermines that the list has been tampered, and the process proceeds tostep S909 to indicate a process error to end the process.

[0980] As previously described, the total integrity check value ICVt isused to check all the partial integrity check value contained in thecontent data, such as the ICVa and ICVb and integrity check values forcorresponding content blocks which are dependent on the data format. Inthis case, however, the list integrity check value ICVrev for checkingthe revocation list for tamper is added to the partial integrity checkvalues, and all of these integrity check values are checked for tamper.If the total integrity check value equals the integrity check value:ICVt stored in the header, it is determined that none of the ICVa andICVb, the content block integrity check values, and the list integritycheck value ICVrev have not been tampered.

[0981] Further at step S907, the revocation list, which has beendetermined to be free from tamper, is compared with the recording andreproducing device ID (IDdev) stored in this recording and reproducingdevice 300.

[0982] If the list of invalid recording and reproducing device IDs IDdevread out from the content data contains the identifier IDdev of thisrecording and reproducing device, this recording and reproducing device300 is determined to have illegally copied key data. The process thenadvances to step S909 to abort the subsequent procedure. For example,the process disables, for example, the execution of the content downloadprocess in FIG. 22.

[0983] At step S907, if the list of invalid recording and reproducingdevice IDs IDdev is determined not to contain the identifier IDdev ofthis recording and reproducing device, this recording and reproducingdevice 300 is determined to have valid key data. The process proceeds tostep S908 to enable the subsequent procedure, for example, the programexecuting process or the content download process in FIG. 22 or otherfigures.

[0984]FIG. 88 shows a process executed to reproduce content data storedin the recording device 400 such as a memory card. As previouslydescribed, the recording device 400 such as a memory card and therecording and reproducing device 300 carry out the mutual authenticationprocess described in FIG. 20 (step S921). Only if the mutualauthentication is successful at step S922, the process proceeds to stepS923 and the subsequent processing, whereas if the mutual authenticationfails, an error occurs at step S930 to prevent the subsequent processingfrom being executed.

[0985] At step S923, the revocation list (see FIG. 86) is obtained fromthe header section of the content data. The processing at the subsequentsteps S924 to 930 is similar to the corresponding processing in FIG. 87.That is, the list is verified with the list integrity check value (S924and S925) and with the total integrity check value (S926 and S927), andthe list entry is compared with the recording and reproducing device IDIDdev (S928). Then, if the list of invalid recording and reproducingdevice IDs IDdev contains the identifier IDdev of this recording andreproducing device, this recording and reproducing device 300 isdetermined to have illegally copied key data, and the process thenadvances to step S930 to abort the subsequent procedure. For example,the process disables, for example, the execution of the contentreproduction process in FIG. 28. On the other hand, if the list ofinvalid recording and reproducing device IDs IDdev is determined not tocontain the identifier IDdev of this recording and reproducing device,this recording and reproducing device 300 is determined to have validkey data, and the process proceeds to step S929 to enable the subsequentprocedure.

[0986] As described above, according to the present data processingapparatus, the data identifying invalid recording and reproducingdevices, that is, the revocation list containing the identifiers IDdevof invalid recording and reproducing devices is contained in the contentprovided by the content provider or manager as constituent data of theheader section of the content data. Before using the content in therecording and reproducing device, the recording and reproducing deviceuser collates the recording and reproducing device ID IDdev stored inthe memory of this recording and reproducing device with the ID in thelist and prevents the subsequent processing if matching data are found.Consequently, the content can be prevented from being used by invalidrecording and reproducing devices that store copied key data in theirmemory.

[0987] (18) Method for Configuring and Manufacturing Secure Chip

[0988] As previously described, the internal memory 307 of the recordingand reproducing device cryptography process section 302 or the internalmemory 405 of the recording device 400 holds important information suchas the cryptography keys and thus needs to be structured to rejectexternal invalid reads. Thus, the recording and reproducing devicecryptography process section 302 and the recording device cryptographyprocess section 401 are configured as a tamper resistant memorycharacterized to restrain external illegal reads in that it comprises,for example, a semiconductor chip that rejects external accesses and hasa multilayer structure, an internal memory sandwiched between dummylayers of aluminum or the like or arranged in the lowest layer, and anarrow range of operating voltages and/or frequencies.

[0989] As understood from the above description, however, data such asthe recording and reproducing device signature key Kdev which varydepending on the recording and reproducing device must be written to theinternal memory 307 of the recording and reproducing device cryptographyprocess section 302. Additionally, data rewrites or reads must bedifficult after individual information for each chip, for example,identification information (ID) and encryption key information has beenwritten to a non-volatile storage area in the chip, for example, a flashmemory or an FeRAM, for example, after shipment.

[0990] A conventional method for making data reads and rewritesdifficult comprises, for example, making a data write command protocolsecret or separating signal lines on the chip for accepting the datawrite command from communication signal lines used after completion ofthe product so that the data write command will not be effective unlessthe signal is directly transmitted to the chip on a substrate.

[0991] Even with such a conventional method, however, those who have atechnical knowledge of storage elements can output signals to a datawrite area of the chip if they have a facility and a technique fordriving the circuit, and even if a data write command protocol issecret, there is always a possibility that the protocol may be analyzed.

[0992] Distribution of elements for storing cryptography process datawhich allow secret data to be modified may threaten the entirecryptography process system. In addition, to prevent data from beingread out, it is possible to avoid implementing the data read command. Inthis case, however, even if a regular data write has been executed, itis impossible to determined whether or not the written data has beenaccurately written, resulting in a possibility of supplying chips withinappropriate data written thereto.

[0993] In view of these conventional techniques, the present inventionprovides a secure chip configuration that enables data to be accuratelywritten to a non-volatile memory such as a flash memory or an FeRAMwhile restraining data from being read out therefrom, as well as amethod for manufacturing such a secure chip.

[0994]FIG. 89 shows a security chip configuration applicable to, forexample, the above described recording and reproducing devicecryptography process section 302 or the cryptography process section 401of the recording device 400. FIG. 89(A) shows a security chipconfiguration formed during a chip manufacturing process, that is,during a data write process, and FIG. 89(B) shows an example of theconfiguration of a product such as the recording and reproducing device300 or the recording device 400 which has a security chip mounted in theproduct and having data written thereto.

[0995] During the manufacturing process, a process section 8001 of thesecurity chip has mode specifying signal lines 8003 and various commandsignal lines 8004 connected thereto and write or read data to or from astorage section 8002 comprising a non-volatile memory, depending on, forexample, whether the chip is in a data write mode or a data read mode.

[0996] On the other hand, in the security chip mounted product in FIG.89(B), the security chip is connected to an externally connectedinterface, peripheral equipment, and other elements via general purposesignal lines, whereas the mode signal lines 8003 are not connected.Specific processing for the mode signal lines 8003 includes connectingthese lines 8003 to the ground, increasing the voltage on these lines toVcc, cutting them, sealing them with an insulator resin, etc. Suchprocessing hinders the mode signal lines in the security chip from beingaccessed after shipment, thereby preventing data from being externallyread out from the chip or written thereto.

[0997] Further, the security chip 8000 of this configuration hindersdata from being written to the storage section 8002 while hinderingwritten data from being read out therefrom, thereby preventing invaliddata writes or reads even if a third person successfully accesses themode signal lines 8003. FIG. 90 shows a process flow of a data write toor a data read from the security chip of this configuration.

[0998] At step S951, the mode signal lines 8003 are set for a data writeor read mode.

[0999] At step S952, authentication information is taken out from thechip. The security chip of this configuration stores informationrequired for the authentication process, such as a password and keyinformation for-the authentication process for the cryptographytechnique, for example, by wires or the mask ROM configuration. At stepS952, this authentication information is read out to execute theauthentication process. If, for example, regular data write jig and dataread device are connected to the general purpose signal lines to executethe authentication process, the authentication will be successful (Yesat step S953). If, however, invalid data write jig and data read deviceare connected to the general purpose signal lines to execute theauthentication process, the authentication will fail (No at step S953)and the process is stopped. The authentication process can be executed,for example, in accordance with the mutual authentication processprocedure previously described in FIG. 13. The process section 8001shown in FIG. 89(A) has a configuration capable of such anauthentication process. This can be implemented, for example, using aconfiguration similar to a command register integrated into the controlsection 403 of the cryptography process section 401 of the recordingdevice 400 shown in the previously described FIG. 29. For example, theprocess section of the chip in FIG. 89(A) has a configuration similar tothe command register integrated into the control section 403 of thecryptography process section 401 of the recording device 400 shown inFIG. 29, and carries out an appropriate process to enable theauthentication process sequence to be executed, in response to an inputof a predetermined command from an apparatus connected to the variouscommand signal lines 8004.

[1000] Only if the authentication process is successful, the processsection 8001 accepts the data write or read command to execute the datawrite (step S955) or read (step S956) process.

[1001] As described above, the security chip of this configuration isconfigured to execute the authentication process on a data write orread, thereby preventing an unauthorized third person from reading orwriting data to or from the storage section of the security chip.

[1002] Next, FIG. 91 shows an embodiment of a securer elementconfiguration. In this example, the storage section 8200 of the securitychip is separated into two areas; one of the areas is a Read Write (RW)area 8201 to and from which data can be written and read, while theother is a Write Only (WO) area 8202 to which data can only be written.

[1003] In this configuration, cryptography key data, ID data, and otherdata which require high security are written to the Write Only (WO) area8202, whereas integrity check data and other data which do not requireso high security are written to the Read Write (RW) area 8201.

[1004] As a process for reading data out from the Read Write (RW) area8201, the process section 8001 executes a data read process involvingthe authentication process described in the above described FIG. 90. Thedata write process, however, is executed following the flow in FIG. 92.

[1005] At step S961 in FIG. 92, the mode signal lines 8003 are set forthe write mode, and at step S962, an authentication process similar tothat described in the above FIG. 90 is executed. When the authenticationprocess is successful, the process proceeds to step S963 to output tothe process section 8001, a command for writing information such as keydata which requires high security to the Write Only (WO) area 8202 viathe command signal lines 8004, while writing check data or other datawhich do not require so high security to the Read Write (RW) area 8201.

[1006] At step S964, on receiving the command, the process section 8001executes a data write process on the Write Only (WO) area 8202 or theRead Write (RO) area 8201 depending on the command.

[1007] In addition, FIG. 93 shows a flow of a process for verifying datawritten to the Write Only (WO) area 8202.

[1008] At step S971 in FIG. 93, the process section 8001 causes theWrite Only (WO) area 8202 to execute the cryptography process based onthe written data. Like the above authentication process executingconfiguration, this execution configuration is implemented by aconfiguration for sequentially executing the cryptography processsequence stored in the command register. Additionally, the cryptographyprocess algorithm executed in the process section 8001 is notparticularly limited, but for example, the previously described DESalgorithm can be carried out.

[1009] Then at step S972, a verification device connected to thesecurity chip receives the result of the cryptography process from theprocess section 8001. Then at step S973, the result of the applicationof a cryptography process similar to the algorithm executed by theprocess section 8001 on the regular write data written to the storagesection at step S973 is compared with the result of encryption from theprocess section 8001.

[1010] If the compared results are identical, it is verified that thedata written to the Write Only (WO) area 8202 are correct.

[1011] With this configuration, if the authentication process should bedeciphered to enable the read command to be executed, data can be readout only from the Read Write (RW) area 8201, while data written to theWrite Only (WO) area 8202 cannot be read out; thus this configurationprovides much higher security. In addition, unlike chips that prohibitdata reads, this chip includes the Read Write (RW) area 8201 to enablememory accesses to be validated.

[1012] This invention has been described with reference to theparticular embodiments. Obviously, however, modifications orsubstitutions may be made to the present invention by those skilled inthe art without deviating from the spirits thereof. That is, the presentinvention has been disclosed for illustrative purposes only and shouldnot be interpreted in a restrictive manner. In addition, in the abovedescribed embodiments, the recording and reproducing device capable ofrecording and reproducing contents are described by way of example.However, the configuration of the present invention is applicable toapparatuses capable of only recording or reproducing data, and thepresent invention can be implemented in personal computers, gameapparatuses, and other various data processing apparatuses in general.To determine the points of the present invention, the claims set forthat the beginning should be referenced.

INDUSTRIAL APPLICABILITY

[1013] The present invention can be utilized in apparatuses and systemswhich are capable of reproducing various contents such as, sounds,images, games, and programs, which can be obtained via a storage medium,such as a DVD and a CD, or via various wired and radio communicationmeans such as CATV, Internet, and satellite communication, in arecording and reproducing a user has, and storing the contents in aspecial recording device, such as a memory card, a hard disk, and aCD-R, and at the same time, of offering security in which theutilization that a contents provider wants is limited in the case ofusing the contents stored in the recording device, and a third partyother than regular users is prevented from illegally using the providedcontents.

1. A data processing apparatus for processing content data provided by arecording or communication medium, characterized in that said apparatuscomprises: a cryptography process section for executing a cryptographyprocess on said content data; and a control section for executingcontrol for said cryptography process section, and said cryptographyprocess section: is configured to generate partial integrity checkvalues as integrity check values for a partial data set containing oneor more partial data obtained by a content data-constituting sectioninto a plurality of parts, and to collate the generated integrity checkvalues to verify said partial data, and generates an intermediateintegrity check value based on a partial integrity check value set datastring containing at least one or more of said partial integrity checkvalues, and uses the generated intermediate integrity check value toverify the entirety of the plurality of partial data sets correspondingto the plurality of partial integrity check values constituting saidpartial integrity check value set.
 2. The data processing apparatusaccording to claim 1, characterized in that: said partial integritycheck value is generated by means of a cryptography process with apartial-check-value-generating key applied thereto, using partial datato be checked, as a message, said intermediate integrity check value isgenerated by means of a cryptography process with angeneral-check-value-generating key applied thereto, using a partialintegrity check value set data string to be checked, as a message, andsaid cryptography process section is configured to store saidpartial-integrity-check-value-generating value and saidgeneral-integrity-check-value-generating key.
 3. The data processingapparatus according to claim 1, characterized in that: said cryptographyprocess has plural types of partial-check-value-generating keycorresponding to generated partial integrity check values.
 4. The dataprocessing apparatus according to claim 2, characterized in that: saidcryptography process is a DES cryptography process, and saidcryptography process section is configured to execute the DEScryptography process.
 5. The data processing apparatus according toclaim 2, characterized in that: said partial integrity check value is amessage authentication code (MAC) generated in an DES-CBC mode usingpartial data to be checked, as a message, said intermediate value is amessage authentication code (MAC) generated in a DES-CBC mode using apartial integrity check value set data string to be checked, as amessage, and said cryptography process section is configured to executethe cryptography process in the DES-CBS mode.
 6. The data processingapparatus according to claim 5, characterized in that: in the DES-CBCmode-based cryptography process configuration of said cryptographyprocess section, Triple DES is applied only in part of a message stringto be processed.
 7. The data processing apparatus according to claim 1,characterized in that: said data processing apparatus has a signaturekey, and said cryptography process section: is configured to apply avalue generated from said intermediate value by means of said signaturekey-applied cryptography process as a collation value for dataverification.
 8. The data processing apparatus according to claim 7,characterized in that: said data processing apparatus has a plurality ofdifferent signature keys as signature keys, and said cryptographyprocess section: is configured to apply one of said plurality ofdifferent signature keys which is selected depending on a localizationof said content data, to the cryptography process for said intermediateintegrity check value to obtain the collation value for dataverification.
 9. The data processing apparatus according to claim 8,characterized in that: said data processing apparatus has a commonsignature key common to all entities of a system for executing a dataverifying process and an apparatus-specific signature key specific toeach apparatus that executes a data verifying process.
 10. The dataprocessing apparatus according to claim 1, characterized in that: saidpartial integrity check value contains one or more header sectionintegrity check values generated for intra-header-section data partlyconstituting data and one or more content integrity check valuesgenerated for content block data partly constituting the data, and saidcryptography process is configured to generate one or more headersection integrity check values for a partial data set in saidintra-header-section data to execute a collation process, generate oneor more content integrity check values for a partial data set in saidintra-content-section data to execute a collation process, and furthergenerate a general integrity check value based on all said headersection integrity check values and said content integrity check valuesgenerated, to execute a collation process in order to verify the data.11. The data processing apparatus according to claim 1, characterized inthat: said partial integrity check value contains one or more headersection integrity check values generated for intra-header-section datapartly constituting data, and said cryptography process is configured togenerate one or more header section integrity check values for a partialdata set in said intra-header-section data to execute a collationprocess and further generate a general integrity check value based onsaid one or more header section integrity check values generated and oncontent block data constituting part of said data, to execute acollation process in order to verify the data.
 12. The data processingapparatus according to claim 1, characterized by further comprising: arecording device for storing data validated by said cryptography processsection.
 13. The data processing apparatus according to claim 12,characterized in that: said control section is configured so that if inthe process executed by said cryptography process section to collate thepartial integrity check value, the collation is not established, andsaid control section suspends the process for storing data in saidrecording device.
 14. The data processing apparatus according to claim1, characterized by further comprising: a reproduction process sectionfor reproducing data validated by said cryptography process section. 15.The data processing apparatus according to claim 14, characterized inthat: if in the process executed by said cryptography process section tocollate the partial integrity check value, the collation is notestablished, and said control section suspends the reproduction processin said reproduction process section.
 16. The data processing apparatusaccording to claim 14, characterized by comprising: control means forcollating only the header section integrity check values in the dataduring the process executed by said cryptography process section tocollate the partial integrity check values and transmitting data forwhich collation of the header section integrity check values has beenestablished, to said reproduction process section for reproduction. 17.A data processing apparatus for processing content data provided by arecording or communication medium, characterized in that said apparatuscomprises: a cryptography process section for executing a cryptographyprocess on said content data; and a control section for executingcontrol for said cryptography process section, and said cryptographyprocess section: is configured to generate, if data to be verified areencrypted, integrity check values for the data to be verified by meansof a signature data-applied cryptography process from data on arithmeticoperation results obtained by executing an arithmetic operation processon decrypted data obtained by executing a decryption process on theencrypted data.
 18. The data processing apparatus according to claim 17,characterized in that: said arithmetic operation process comprisesperforming an exclusive-OR operation on decrypted data everypredetermined bytes, the decrypted data being obtained by decryptingsaid encrypted data.
 19. A data processing method for processing contentdata provided by a recording or communication medium, characterized inthat said method: generates partial integrity check values as integritycheck values for a partial data set containing one or more partial dataobtained by a content data constituting section into a plurality ofparts, and collates the generated integrity check values to verify saidpartial data, and generates an intermediate integrity check value basedon a partial integrity check value set data string containing at leastone or more of said partial integrity check values, and uses thegenerated intermediate integrity check value to verify the entirety ofthe plurality of partial data sets corresponding to the plurality ofpartial integrity check values constituting said partial integrity checkvalue set.
 20. The data processing method according to claim 19,characterized in that: said partial integrity check value is generatedby means of a cryptography process with a partial-check-value-generatingkey applied thereto, using partial data to be checked, as a message, andsaid intermediate integrity check value is generated by means of acryptography process with an general-check-value-generating key appliedthereto, using a partial integrity check value set data string to bechecked, as a message.
 21. The data processing method according to claim20, characterized in that: said partial integrity check value isgenerated by applying different types of partial-check-value-generatingkeys corresponding to generated partial integrity check values.
 22. Thedata processing method according to claim 20, characterized in that:said cryptography process is a DES cryptography process.
 23. The dataprocessing method according to claim 19, characterized in that: saidpartial integrity check value is a message authentication code (MAC)generated in a DES-CBC mode using partial data to be checked, as amessage, and said intermediate value is a message authentication code(MAC) generated in a DES-CBC mode using a partial integrity check valueset data string to be checked, as a message.
 24. The data processingmethod according to claim 19, characterized in that: a value generatedfrom said intermediate value by means of a signature key-appliedcryptography process is applied as a collation value for dataverification.
 25. The data processing method according to claim 24,characterized in that: different signature keys are applied to thecryptography process for said intermediate integrity check valuedepending on a localization of said content data, to obtain thecollation value for data verification.
 26. The data processing methodaccording to claim 25, characterized in that: a common signature keycommon to all entities of a system for executing a data verifyingprocess or an apparatus-specific signature key specific to eachapparatus that executes a data verifying process is selected and used assaid signature key depending on the localization of the content data.27. The data processing method according to claim 19, characterized inthat: said partial integrity check value contains one or more headersection integrity check values generated for intra-header-section datapartly constituting data and one or more content integrity check valuesgenerated for intra-content-section data partly constituting the data,and a data verifying process: generates one or more header sectionintegrity check values for a partial data set in saidintra-header-section data to execute a collation process; generates oneor more content integrity check values for a partial data set in saidintra-content-section data to execute a collation process; and furthergenerates a general integrity check value based on all said headersection integrity check values and said content integrity check valuesgenerated, to execute a collation process in order to verify the data.28. The data processing method according to claim 19, characterized inthat: said partial integrity check value contains one or more headersection integrity check values generated for intra-header-section datapartly constituting data, and the data verifying process: generates oneor more header section integrity check values for a partial data set insaid intra-header-section data to execute a collation process; andfurther generates a general integrity check value based on said one ormore header section integrity check values generated and on contentblock data constituting part of said data, to execute a collationprocess in order to verify the data.
 29. The data processing methodaccording to claim 19, characterized by further comprising: a processfor storing, after data verification, storing validated data.
 30. Thedata processing method according to claim 29, characterized in that: ifin the process for collating said partial integrity check value, thecollation is not established, control is executed such as to suspend theprocess for storing data in said recording device.
 31. The dataprocessing method according to claim 19, characterized by furthercomprising: a data reproduction process for reproducing data after thedata verification.
 32. The data processing method according to claim 31,characterized in that: if in the process for collating said partialintegrity check value, the collation is not established, and control isexecuted such as to suspend the reproduction process executed in saidreproduction process section.
 33. The data processing method accordingto claim 31, characterized in that said method: collates only the headersection integrity check values in the data during the process forcollating the partial integrity check values and transmits data forwhich collation of the header section integrity check values has beenestablished, to said reproduction process section for reproduction. 34.The data processing method for processing content data provided by arecording or communication medium, the method being characterized inthat said method: if data to be verified are encrypted, executes anarithmetic operation process on decrypted data obtained by decryptingthe encrypted data, executes a signature key-applied cryptographyprocess on data on arithmetic operation results obtained by saidarithmetic operation, to generate integrity check values for said datato be verified.
 35. The data processing method according to claim 34,characterized in that: said arithmetic operation process comprisesperforming an exclusive-OR operation on decrypted data everypredetermined bytes, the decrypted data being obtained by decryptingsaid encrypted data.
 36. A data verifying value imparting method for adata verifying process, characterized in that said method: impartspartial integrity check values as integrity check values for a partialdata set containing one or more partial data obtained by a content dataconstituting section into a plurality of parts, and imparts to data toverified, an intermediate integrity check value used to verify a partialintegrity check value set data string containing at least one or more ofsaid partial integrity check values.
 37. The data verifying valueimparting method according to claim 36, characterized in that: saidpartial integrity check value is generated by means of a cryptographyprocess with a partial-check-value-generating key applied thereto, usingpartial data to be checked, as a message, and said intermediateintegrity check value is generated by means of a cryptography processwith an general-check-value-generating key applied thereto, using apartial integrity check value set data string to be checked, as amessage.
 38. The data verifying value imparting method according toclaim 37, characterized in that: said partial integrity check value isgenerated by applying different types of partial-check-value-generatingkeys corresponding to generated partial integrity check values.
 39. Thedata verifying value imparting method according to claim 37,characterized in that: said cryptography process is a DES cryptographyprocess.
 40. The data verifying value imparting method according toclaim 36, characterized in that: said partial integrity check value is amessage authentication code (MAC) generated in a DES-CBC mode usingpartial data to be checked, as a message, and said intermediate value isa message authentication code (MAC) generated in a DES-CBC mode using apartial integrity check value set data string to be checked, as amessage.
 41. The data verifying value imparting method according toclaim 36, characterized in that: a value generated from saidintermediate value by means of a signature key-applied cryptographyprocess is applied as a collation value for data verification.
 42. Thedata verifying value imparting method according to claim 41,characterized in that: different signature keys are applied to thecryptography process for said intermediate integrity check valuedepending on a localization of said content data, to obtain thecollation value for data verification.
 43. The data verifying valueimparting method according to claim 42, characterized in that: a commonsignature key common to all entities of a system for executing a dataverifying process or an apparatus-specific signature key specific toeach apparatus that executes a data verifying process is selected andused as said signature key depending on the localization of the contentdata.
 44. The data verifying value imparting method according to claim36, characterized in that: said partial integrity check value containsone or more header section integrity check values for inintra-header-section data partly constituting data and one or morecontent integrity check values for intra-content-section data partlyconstituting the data, and said method is set so that a generalintegrity check value is generated for all said header section integritycheck values and said content integrity check values, to verify thedata.
 45. The data verifying value imparting method according to claim36, characterized in that: said partial integrity check value containsone or more header section integrity check values forintra-header-section data partly constituting data, and said method isset so that a general integrity check value is generated for said one ormore header section integrity check values and content block data partlyconstituting said data, to verify the data.
 46. A program providingmedium for providing a computer program for causing a data verifyingprocess to be executed on a computer system to verify that data arevalid, the program providing medium being characterized in that saidcomputer program comprises steps of: executing a collation process usingpartial integrity check values generated as integrity check values for apartial data set containing one or more partial data obtained bydividing data a plurality of parts, and using an intermediate integritycheck value based on a partial integrity check value set obtained bycombining a plurality of said partial integrity check values together,to verify the entirety of a plurality of partial data sets correspondingto the plurality of partial integrity check values constituting saidpartial integrity check value set.
 47. A data processing apparatuscomprising: an encryption processing section that executes encryptionprocessing of at least one of data encryption, data decryption, dataverification, authentication processing and signature processing; and astorage section that stores master keys to generate keys used for saidencryption processing, characterized in that said encryption processingsection is configured to generate individual keys necessary to executesaid encryption processing based on said master keys, an encryptionprocessing target apparatus or data identification data.
 48. The dataprocessing apparatus according to claim 47, characterized in that saiddata processing apparatus is a data processing apparatus that performsencryption processing on transfer data via a storage medium orcommunication medium, said storage section stores a distribution keygeneration master key MKdis for generating a distribution key Kdis usedfor encryption processing of said transfer data, and said encryptionprocessing section executes encryption processing based on thedistribution key generation master key MKdis stored in said storagesection and a data identifier, which is identification data of saidtransfer data and generates said transfer data distribution key Kdis.49. The data processing apparatus according to claim 47, characterizedin that said data processing apparatus is a data processing apparatusthat performs authentication processing of an externally connectedapparatus to/from which data is transferred, said storage section storesan authentication key generation master key MKake for generating anauthentication key Kake of said externally connected apparatus, and saidencryption processing section executes encryption processing based onthe authentication key generation master key MKake stored in saidstorage section and an externally connected apparatus identifier, whichis identification data of said externally connected apparatus andgenerates the authentication key Kake of said externally connectedapparatus.
 50. The data processing apparatus according to claim 47,characterized in that said data processing apparatus is a dataprocessing apparatus that performs signature processing on data, saidstorage section stores a signature key generation master key MKdev forgenerating a data processing apparatus signature key Kdev of said dataprocessing apparatus, and said encryption processing section executesencryption processing based on the signature key generation master keyMKdev stored in said storage section and a data processing apparatusidentifier, which is identification data of said data processingapparatus and generates the data processing apparatus signature key Kdevof said data processing apparatus.
 51. The data processing apparatusaccording to claim 47, characterized in that individual key generationprocessing that generates an individual key necessary to executeencryption processing based on said master key and identification dataof the apparatus or data subject to encryption processing is encryptionprocessing that uses at least part of identification data of theapparatus or data subject to encryption processing as a message andapplies said master key as the encryption key.
 52. The data processingapparatus according to claim 51, characterized in that said encryptionprocessing is encryption processing using a DES algorithm.
 53. A dataprocessing system configured by a plurality of data processingapparatuses, characterized in that each of said plurality of dataprocessing apparatuses having a common master key to generate a key usedfor encryption processing of at least one of data encryption, datadecryption data verification, authentication processing and signatureprocessing, and each of said plurality of data processing apparatusesgenerating a common individual key necessary to execute said encryptionprocessing based on said master key and identification data of theapparatus or data subject to encryption processing.
 54. The dataprocessing system according to claim 53, characterized in that saidplurality of data processing apparatuses is configured by a contentsdata providing apparatus that supplies contents data and a contents datautilization apparatus that utilizes the contents data, both the contentsdata providing apparatus and contents data utilization apparatus have adistribution key generation master key to generate a contents datadistribution key used for encryption processing of circulation contentsdata between said contents data providing apparatus and contents datautilization apparatus, said contents data providing apparatus generatesa contents data distribution key based on said distribution keygeneration master key and contents identifier, which is an identifier ofsupplied contents data and executes encryption processing on saidcontents data, and said contents data utilization apparatus generates acontents data distribution key based on said distribution key generationmaster key and contents identifier, which is an identifier of suppliedcontents data and executes decryption processing on said contents data.55. The data processing system according to claim 54, characterized inthat said contents data providing apparatus has a plurality of differentdistribution key generation master keys to generate a plurality ofdifferent contents data distribution keys, generates a plurality ofdifferent contents data distribution keys based on said plurality ofdistribution key generation master keys and said contents identifier,executes encryption processing using said plurality of distribution keysgenerated and generates encryption contents data of a plurality oftypes, and said contents data utilization apparatus has at least onedistribution key generation master key of the plurality of differentdistribution key generation master keys owned by said contents dataproviding apparatus and makes decodable only encryption contents data bya distribution key generated using the same distribution key generationmaster key as the distribution key generation master key owned by theown apparatus.
 56. The data processing system according to claim 53,characterized in that each of said plurality of data processingapparatuses stores a same contents key generation master key to generatea contents key used for encryption processing of contents data, dataprocessing apparatus A, which is one of said plurality of dataprocessing apparatuses, stores contents data encrypted by a contents keygenerated based on said contents key generation master key and theapparatus identifier of said data processing apparatus A in a storagemedium, different data processing apparatus B generates a contents keybased on said same contents key generation master key and the apparatusidentifier of said data processing apparatus A and executes decryptionprocessing on the encrypted contents data stored by said data processingapparatus A in said storage medium based on said contents key generated.57. The data processing system according to claim 53, characterized inthat said plurality of data processing apparatuses are configured by ahost device and a slave device subject to authentication processing bysaid host device, both said host device and said slave device have anauthentication key generation master used for authentication processingbetween the host device and slave device, said slave device generates anauthentication key based on said authentication key generation masterkey and said slave device identifier, which is the identifier of saidslave device and stores in memory in the slave device, and said hostdevice generates an authentication key based on said authentication keygeneration master key and the slave device identifier, which is theidentifier of said slave device and executes authentication processing.58. A data processing method that executes encryption processing of atleast one of data encryption, data decryption, data verification,authentication processing and signature processing, comprising: a keygenerating step of generating individual keys necessary to executeencryption processing based on master keys to generate the key used forsaid encryption processing and identification data of the apparatus ordata subject to encryption processing; and an encryption processing stepof executing encryption processing based on the key generated in saidkey generating step.
 59. The data processing method according to claim58, characterized in that data processing executed by said dataprocessing method is encryption processing on transfer data via astorage medium or communication medium, said key generating step is adistribution key generating step of executing encryption processingbased on a distribution key generation master key MKdis for generating adistribution key Kdis used for encryption processing of transfer dataand a data identifier, which is identification data of said transferdata, and generating distribution key Kdis of said transfer data, andsaid encryption processing step is a step of executing encryptionprocessing on transfer data based on the distribution key Kdis generatedin said distribution key generating step.
 60. The data processing methodaccording to claim 58, characterized in that data processing executed bysaid data processing method is authentication processing of anexternally connected apparatus to/from which data is transferred, saidkey generating step is an authentication key generating step ofexecuting encryption processing based on an authentication keygeneration master key MKake for generating an authentication key Kake ofsaid externally connected apparatus and an externally connectedapparatus identifier, which is identification data of said externallyconnected apparatus, and generating said authentication key Kake of saidexternally connected apparatus, and said encryption processing step is astep of executing authentication processing of the externally connectedapparatus based on the authentication key Kake generated in saidauthentication key generating step.
 61. The data processing methodaccording to claim 58, characterized in that data processing executed bysaid data processing apparatus is signature processing on data, said keygenerating step is a signature key generating step of executingencryption processing based on a signature key generation master keyMKdev for generating a data processing apparatus signature key Kdev ofsaid data processing apparatus and a data processing apparatusidentifier, which is identification data of said data processingapparatus and generating the data processing apparatus signature keyKdev of said data processing apparatus, and said encryption processingstep is a step of executing signature processing on data based on thesignature key Kdev generated in said signature key generating step. 62.The data processing method according to claim 58, characterized in thatsaid key generating step is encryption processing that uses at leastpart of data identification of the apparatus or data subject toencryption processing as a message and applies said master key as theencryption key.
 63. The data processing method according to claim 62,characterized in that said encryption processing is encryptionprocessing using a DES algorithm.
 64. A data processing method in a dataprocessing system comprising: a contents data providing apparatus thatsupplies contents data; and a contents data utilization apparatus thatutilizes the contents data, characterized in that said contents dataproviding apparatus generates a contents data distribution key based ona distribution key generation master key for generating a contents datadistribution key used for encryption processing on contents data and acontents identifier, which is the identifier of the provided contentsdata and executes encryption processing on said contents data, and saidcontents data utilization apparatus generates a contents datadistribution key based on said distribution key generation master keyand a contents identifier, which is the identifier of the providedcontents data and executes decryption processing on said contents data.65. The data processing method according to claim 64, characterized inthat said contents data providing apparatus has a plurality of differentdistribution key generation master keys to generate a plurality ofdifferent contents data distribution keys, generates a plurality ofdifferent contents data distribution keys based on said plurality ofdistribution key generation master keys and said contents identifier,executes encryption processing using said plurality of distribution keysgenerated and generates encryption contents data of a plurality oftypes, and said contents data utilization apparatus has at least onedistribution key generation master key of the plurality of differentdistribution key generation master keys owned by said contents dataproviding apparatus and decrypts only encryption contents data by adistribution key generated using the same distribution key generationmaster key as the distribution key generation master key owned by theown apparatus.
 66. A data processing method in a data processing systemconfigured by a plurality of data processing apparatuses comprising: astep of storing, by data processing apparatus A, which is one of saidplurality of data processing apparatuses, in a storage medium contentsdata encrypted using a contents key generated based on a contents keygeneration master key to generate a contents key used for encryptionprocessing of contents data and the apparatus identifier of said dataprocessing apparatus A; a step of generating the same contents key assaid contents key by different data processing apparatus B based on thesame said contents key generation master key as that of said dataprocessing apparatus A and the apparatus identifier of said dataprocessing apparatus A; and a step of decrypting the contents datastored in said storage medium using the contents key generated by saiddata processing apparatus B.
 67. A data processing method in a dataprocessing system comprising: a host device; and a slave device subjectto authentication processing by said host device, characterized in thatsaid slave device generates an authentication key based on anauthentication key generation master key to generate an authenticationkey used for authentication processing between the host device and slavedevice and a slave device identifier, which is the identifier of saidslave device and stores the authentication key generated in memory insaid slave device, and said host device generates an authentication keybased on said authentication key generation master key and slave deviceidentifier, which is the identifier of said slave device and executesauthentication processing.
 68. A program providing medium that suppliesa computer program to execute encryption processing of at least one ofdata encryption, data decryption, data verification, authenticationprocessing and signature processing on a computer system, said computerprogram comprising: a key generating step of generating individual keysnecessary to execute said encryption processing based on said masterkeys to generate the keys used for said encryption processing andidentification data of the apparatus or data subject to encryptionprocessing; and an encryption processing step of executing encryptionprocessing based on the keys generated in said key generating step. 69.A data processing apparatus that processes contents data supplied from astorage medium or communication medium, comprising: a storage sectionthat stores data processing apparatus identifiers; a list verificationsection that extracts an illegal device list included in the contentsdata and executes collation between entries of said list and said dataprocessing apparatus identifiers stored in said storage section; and acontrol section that stops executing processing of at least either oneof reproduction of said contents data or processing of storage in arecording device when the result of the collation processing in saidcollation processing section shows that said illegal device listincludes information that matches said data processing identifiers. 70.The data processing apparatus according to claim 69, characterized inthat said list verification section comprises an encryption processingsection that executes encryption processing on said contents data; andsaid encryption processing section verifies the presence or absence oftampering in said illegal device list based on check values of theillegal device list included in said contents data and executes saidcollation processing only when said verification proves no tampering.71. The data processing apparatus according to claim 70, furthercomprising an illegal device list check value generation key,characterized in that said encryption processing section executesencryption processing applying said illegal device list check valuegeneration key to illegal device list configuration data to be verified,generates illegal device list check values, executes collation betweensaid illegal device list check values and the illegal device list checkvalues included in said contents data and thereby verifies the presenceor absence of tampering in said illegal device list.
 72. The dataprocessing apparatus according to claim 69, characterized in that saidlist verification section comprises an encryption processing sectionthat executes encryption processing on said contents data; and saidencryption processing section executes decryption processing of theencrypted illegal device list included in said contents data andexecutes said collation processing on the illegal device list resultingfrom said decryption processing.
 73. The data processing apparatusaccording to claim 69, characterized in that said list verificationsection comprises an encryption processing section that executes mutualauthentication processing with a recording device to/from which contentsdata is transferred; and said list verification section extracts theillegal device list included in said contents data and executescollation with said data processing apparatus identifiers stored in saidstorage section on condition that authentication with said recordingdevice has been established through mutual authentication processingexecuted by said encryption processing section.
 74. A data processingmethod that processes contents data supplied from a storage medium orcommunication medium, comprising: a list extracting step of extractingan illegal device list included in the content data; a collationprocessing step of executing collation between entries included in thelist extracted in said list extracting step and said data processingapparatus identifiers stored in a storage section in the data processingapparatus; and a step of stopping execution of processing of at leasteither one of reproduction of said contents data or processing ofstorage in a recording device when the result of the collationprocessing in said collation processing step shows that said illegaldevice list includes information that matches said data processingidentifiers.
 75. The data processing method according to claim 74,further comprising a verification step of verifying the presence orabsence of tampering in said illegal device list based on check valuesof the illegal device list included in said contents data, characterizedin that said collation processing step executes collation processingonly when said verification step proves no tampering.
 76. The dataprocessing method according to claim 75, characterized in that saidverification step comprising: a step of executing encryption processingapplying an illegal device list check value generation key to illegaldevice list configuration data to be verified and generating illegaldevice list check values; and a step of executing collation between theillegal device list check values generated and the illegal device listcheck values included in said contents data and thereby verifying thepresence or absence of tampering in said illegal device list.
 77. Thedata processing method according to claim 74, further comprising adecrypting step of executing decrypting processing on the encryptedillegal device list included in said contents data, characterized inthat said collation processing step executes said collation processingon the illegal device list resulting from said decrypting step.
 78. Thedata processing method according to claim 74, further comprising amutual authentication processing step of executing mutual authenticationprocessing with a recording device to/from which contents data istransferred, characterized in that said collation processing stepexecutes said collation processing on condition that authentication withsaid recording device has been established through mutual authenticationprocessing executed in said mutual authentication processing step.
 79. Acontents data generation method that generates contents data suppliedfrom a storage medium or communication medium to a plurality ofrecorders/reproducers, characterized in that an illegal device listwhose component data comprises identifiers of recorders/reproducers,which will be excluded from the use of said contents data is stored asthe header information of the contents data.
 80. The contents datageneration method according to claim 79, characterized in that illegaldevice list check values for a tampering check on said illegal devicelist are stored as the header information of the contents data.
 81. Thecontents data generation method according to claim 79, characterized inthat said illegal device list is encrypted and stored in the headerinformation of the contents data.
 82. A program supply medium thatsupplies a computer program that allows a computer system to executeprocessing of contents data supplied from a storage medium orcommunication medium, said computer program comprising: a listextracting step of extracting an illegal device list included in thecontents data; a collation processing step of executing collationbetween entries included in the list extracted in said list extractingstep and said data processing apparatus identifiers stored in a storagesection in the data processing apparatus; and a step of stoppingexecution of processing of either one of reproduction of said contentsdata or processing of storage in a recording device when the result ofthe collation processing in said collation processing step shows thatsaid illegal device list includes information that matches said dataprocessing identifiers.
 83. A data processing apparatus that processescontents data supplied via a recording medium or communication medium,comprising: an encryption processing section that executes encryptionprocessing on said contents data; a control section that executescontrol over said encryption processing section; a system common keyused for encryption processing in said encryption processing section,which is common to other data processing apparatuses using said contentsdata; and at least one of an apparatus-specific key, which is specificto the data processing apparatus used for encryption processing in saidencryption processing section or an apparatus-specific identifier togenerate said apparatus-specific key, characterized in that saidencryption processing section is configured to perform encryptionprocessing by applying either one of said system common key or saidapparatus-specific key according to the utilization mode of saidcontents data.
 84. The data processing apparatus according to claim 83,characterized in that said encryption processing section executesencryption processing by applying either one of said system common keyor said apparatus-specific key according to utilization restrictioninformation included in said contents data.
 85. The data processingapparatus according to claim 83, further comprising a recording devicefor recording contents data, characterized in that said encryptionprocessing section, when imposed with a utilization restriction thatsaid contents data should be used only for the own data processingapparatus, generates data to be stored in said recording device byexecuting encryption processing using said apparatus-specific key forsaid contents data; and in the case where said contents data is alsomade available to an apparatus other than the own data processingapparatus, data to be stored in said recording device is generated byexecuting encryption processing using said system common key on saidcontents data.
 86. The data processing apparatus according to claim 83,comprising a signature key Kdev specific to the data processingapparatus and a system signature key Ksys common to a plurality of dataprocessing apparatuses, characterized in that said encryption processingsection, when said contents data is stored in said recording deviceimposed with a utilization restriction that said contents data should beused only for the own data processing apparatus, generates anapparatus-specific check value through encryption processing applyingsaid apparatus-specific signature key Kdev to said contents data and,when said contents data is stored in said recording device with saidcontents data also made available to an apparatus other than the owndata processing apparatus, generates an overall check value throughencryption processing applying said system signature key Ksys to saidcontents data; and said control section performs control of storingeither one of said apparatus-specific check value generated by saidencryption processing section or said overall check value together withsaid contents data in said recording device.
 87. The data processingapparatus according to claim 83, comprising a signature key Kdevspecific to the data processing apparatus and a system signature keyKsys common to a plurality of data processing apparatuses, characterizedin that said encryption processing section, when contents data imposedwith a utilization restriction that said contents data should be usedonly for the own data processing apparatus is reproduced, generates anapparatus-specific check value applying said apparatus-specificsignature key Kdev to said contents data and executes collationprocessing on said apparatus-specific check value generated and, whencontents data also made available to an apparatus other than the owndata processing apparatus is reproduced, generates an overall checkvalue through encryption processing applying said system signature keyKsys to said contents data and performs collation processing on saidoverall check value generated; and said control section generatesreproducible decrypted data by continuing processing of contents data bythe encryption processing section only when collation with saidapparatus-specific check value is established or when collation withsaid overall check value is established.
 88. The data processingapparatus according to claim 83, comprising a recording data processingapparatus signature key master key MKdev and data processing apparatusidentifier IDdev, characterized in that said encryption processingsection generates a signature key Kdev as the data processing apparatusspecific key through encryption processing based on said data processingapparatus signature key master key MKdev and said data processingapparatus identifier IDdev.
 89. The data processing apparatus accordingto claim 88, characterized in that said encryption processing sectiongenerates said signature key Kdev through DES encryption processingapplying said data processing apparatus signature key master key MKdevto said data processing apparatus identifier IDdev.
 90. The dataprocessing apparatus according to claim 83, characterized in that saidencryption processing section generates an intermediate integrity checkvalue by executing encryption processing on said contents data andexecutes encryption processing applying said data processing apparatusspecific key or system common key to said intermediate integrity checkvalue.
 91. The data processing apparatus according to claim 90,characterized in that said encryption processing section generates apartial integrity check value through encryption processing on a partialdata set containing at least one partial data item obtained by dividingsaid contents data into a plurality of parts and generates anintermediate integrity check value through encryption processing on apartial integrity check value set data string containing said partialintegrity check value generated.
 92. A data processing method thatprocesses contents data supplied via a recording medium or communicationmedium, characterized by selecting either one of an encryptionprocessing system common key common to other data processing apparatusesusing said contents data or an apparatus-specific key, which is specificto the data processing apparatus according to the utilization mode ofsaid contents data; and executing encryption processing by applying theselected encryption processing key to said contents data.
 93. The dataprocessing method according to claim 92, characterized in that saidencryption processing key selecting step is a step of selectingaccording to utilization restriction information contained in saidcontents data.
 94. The data processing method according to claim 92,characterized in that the processing of storing contents data in therecording device, when imposed with a utilization restriction that saidcontents data should be used only for the own data processing apparatus,generates data to be stored in said recording device by executingencryption processing applying said apparatus-specific key to saidcontents data; and in the case where said contents data is also madeavailable to an apparatus other than the own data processing apparatus,data to be stored in said recording device is generated by executingencryption processing using said system common key on said contentsdata.
 95. The data processing method according to claim 92,characterized in that when said contents data is stored in saidrecording device imposed with a utilization restriction that saidcontents data should be used only for the own data processing apparatus,the processing of recording contents data in the recording devicegenerates an apparatus-specific check value through encryptionprocessing applying said apparatus-specific signature key Kdev to saidcontents data and, when said contents data is stored in said recordingdevice with said contents data also made available to an apparatus otherthan the own data processing apparatus, generates an overall check valuethrough encryption processing applying said system signature key Ksys tosaid contents data; and either one of said apparatus-specific checkvalue generated or said overall check value is stored together with saidcontents data in said recording device.
 96. The data processing methodaccording to claim 92, characterized in that when contents data imposedwith a utilization restriction that said contents data should be usedonly for the own data processing apparatus is reproduced, the contentsdata reproducing processing generates an apparatus-specific check valuethrough encryption processing applying said apparatus-specific signaturekey Kdev to said contents data and executes collation processing on saidapparatus-specific check value generated and, when contents data imposedwith a utilization restriction that the contents data is also madeavailable to an apparatus other than the own data processing apparatusis reproduced, generates an overall check value through encryptionprocessing applying said system signature key Ksys to said contents dataand performs collation processing on said overall check value generated;and contents data is reproduced only when collation with saidapparatus-specific check value is established or when collation withsaid overall check value is established.
 97. The data processing methodaccording to claim 92, further comprising a step of generating asignature key Kdev as the data processing apparatus specific key throughencryption processing based on data processing apparatus signature keymaster key MKdev and data processing apparatus identifier IDdev.
 98. Thedata processing method according to claim 97, characterized in that saidsignature key Kdev generating step is a step of generating saidsignature key Kdev through DES encryption processing applying said dataprocessing apparatus signature key master key MKdev to said dataprocessing apparatus identifier IDdev.
 99. The data processing methodaccording to claim 92, further comprising a step of generating anintermediate integrity check value by executing encryption processing onsaid contents data, characterized by executing encryption processingapplying said data processing apparatus specific key or system commonkey to said intermediate integrity check value.
 100. The data processingmethod according to claim 99, characterized by further generating apartial integrity check value through encryption processing on a partialdata set containing at least one partial data item obtained by dividingsaid contents data into a plurality of parts and generating anintermediate integrity check value through encryption processing on apartial integrity check value set data string containing said partialintegrity check value generated.
 101. A program supply medium thatsupplies a computer program allowing a computer system to execute dataprocessing that processes contents data supplied via a recording mediumor communication medium, said computer program comprising the steps of:selecting either encryption processing key, an encryption processingsystem common key common to other data processing apparatuses using saidcontents data or an apparatus-specific key, which is specific to thedata processing apparatus according to the utilization mode of saidcontents data; and executing encryption processing applying the selectedencryption processing key to said contents data.
 102. A data processingapparatus that processes contents data supplied via a recording mediumor communication medium, comprising: an encryption processing sectionthat executes encryption processing on said contents data; and a controlsection that executes control over said encryption processing section,characterized in that said encryption processing section is configuredto generate a contents check value in units of contents block data to beverified included in the data, execute collation on the contents checkvalue generated and thereby execute verification processing on thevalidity of each contents block data in said data.
 103. The dataprocessing apparatus according to claim 102, comprising a contents checkvalue generation key, characterized in that said encryption processingsection generates a contents intermediate value based on contents blockdata to be verified and generate a contents check value by executingencryption processing applying said contents check value generation keyto said contents intermediate value.
 104. The data processing apparatusaccording to claim 103, characterized in that when the contents blockdata to be verified is encrypted, said encryption processing sectiongenerates a contents intermediate value by executing predeterminedoperation processing on an entire decrypted statement obtained throughdecryption processing of said contents block data in units of apredetermined number of bytes, and when the contents block data to beverified is not encrypted, generates a contents intermediate value byexecuting predetermined operation processing on the entire contentsblock data in units of a predetermined number of bytes.
 105. The dataprocessing apparatus according to claim 104, characterized in that saidpredetermined operation processing applied in said intermediateintegrity check value generation processing by said encryptionprocessing section is an exclusive-OR operation.
 106. The dataprocessing apparatus according to claim 104, characterized in that saidencryption processing section has an encryption processing configurationin CBC mode and said decryption processing applied to the contentintermediate value generation processing when the contents block data tobe verified is decryption processing in CBC mode.
 107. The dataprocessing apparatus according to claim 106, characterized in that theencryption processing configuration in CBC mode of said encryptionprocessing section is a configuration in which common key encryptionprocessing is applied a plurality of times only to part of a messagestring to be processed.
 108. The data processing apparatus according toclaim 102, characterized in that when the contents block data contains aplurality of parts and some parts included in said contents block dataare to be verified, said encryption processing section generates acontents check value based on the parts to be verified, executescollation processing on the contents check value generated and therebyexecutes verification processing on the validity in units of contentblock data in said data.
 109. The data processing apparatus according toclaim 108, characterized in that when said contents block data containsa plurality of parts and it is one part that needs to be verified, saidencryption processing section generates a contents check value byexecuting encryption processing applying the contents check valuegeneration key to a value obtained by carrying out an exclusive-OR inunits of a predetermined number of bytes on the entire decryptedstatement obtained by decryption processing of parts to be verified inthe case where said parts to be verified is encrypted, and generates acontents check value by executing encryption processing applying saidcontents check value generation key to a value obtained by carrying outan exclusive-OR in units of a predetermined number of bytes on saidentire part to be verified in the case where said parts to be verifiedis not encrypted.
 110. The data processing apparatus according to claim108, characterized in that when said contents block data contains aplurality of parts and it is a plurality of parts that needs to beverified, said encryption processing section uses, as a contents checkvalue, the result obtained by executing encryption processing applyingsaid contents check value generation key to link data of a parts checkvalue obtained by executing encryption processing applying a contentscheck value generation key to each part.
 111. The data processingapparatus according to claim 102, characterized in that said encryptionprocessing section further comprises a recording device for storingcontents data containing contents block data whose validity has beenverified.
 112. The data processing apparatus according to claim 111,characterized in that when collation is not established in the collationprocessing on a contents check value in said encryption processingsection, said control section stops storage in said recording device.113. The data processing apparatus according to claim 102, characterizedin that said encryption processing section further comprises areproduction processing section for reproducing data whose validity hasbeen verified.
 114. The data processing apparatus according to claim113, characterized in that when collation is not established in thecollation processing on a contents check value in said encryptionprocessing section, said control section stops reproduction processingin said reproduction processing section.
 115. A data processing methodthat processes contents data supplied via a recording medium orcommunication medium, characterized by generating a contents check valuein units of contents block data to be verified included in the data,executing collation on the contents check value generated and therebyexecuting verification processing on the validity in units of contentsblock data in said data.
 116. The data processing method according toclaim 115, characterized by generating a contents intermediate valuebased on contents block data to be verified and generating a contentscheck value by executing encryption processing applying said contentscheck value generation key to said contents intermediate valuegenerated.
 117. The data processing method according to claim 115,characterized by generating, when the contents block data to be verifiedis encrypted, a contents intermediate value by executing predeterminedoperation processing on an entire decrypted statement obtained throughdecryption processing of said contents block data in units of apredetermined number of bytes, and generating, when the contents blockdata to be verified is not encrypted, a contents intermediate value byexecuting predetermined operation processing on the entire contentsblock data in units of a predetermined number of bytes.
 118. The dataprocessing method according to claim 117, characterized in that saidpredetermined operation processing applied in said intermediateintegrity check value generation processing is an exclusive-ORoperation.
 119. The data processing method according to claim 117,characterized in that in said contents intermediate value generationprocessing, said decryption processing applied to the contentintermediate value generation processing when the contents block data tobe verified is encrypted is decryption processing in CBC mode.
 120. Thedata processing method according to claim 119, characterized in that insaid decryption processing configuration in CBC mode, common keyencryption processing is applied a plurality of times only to part of amessage string to be processed.
 121. The data processing methodaccording to claim 115, characterized by generating, when the contentsblock data contains a plurality of parts and some parts included in saidcontents block data are to be verified, a contents check value based onthe parts to be verified, executing collation processing on the contentscheck value generated and thereby executing verification processing onthe validity in units of content block data in said data.
 122. The dataprocessing method according to claim 121, characterized by generating,when the contents block data contains a plurality of parts and it is onepart that needs to be verified, a contents check value by executingencryption processing applying the contents check value generation keyto a value obtained by carrying out an exclusive-OR in units of apredetermined number of bytes on the entire decrypted statement obtainedby decryption processing of parts to be verified in the case where saidpart to be verified is encrypted, and generating a contents check valueby executing encryption processing applying said contents check valuegeneration key to a value obtained by carrying out an exclusive-OR inunits of a predetermined number of bytes on said entire part to beverified in the case where said part to be verified is not encrypted.123. The data processing method according to claim 121, characterized byusing, when said contents block data contains a plurality of parts andit is a plurality of parts that needs to be verified, as a contentscheck value, the result obtained by executing encryption processingfurther applying said contents check value generation key to link dataof a parts check value obtained by executing encryption processingapplying the contents check value generation key to each part.
 124. Thedata processing method according to claim 115, further comprising a stepof storing contents data containing contents block data whose validityhas been verified.
 125. The data processing method according to claim124, characterized in that when collation is not established in thecollation processing on a contents check value, said control sectionstops storage in said recording device.
 126. The data processing methodaccording to claim 115, further comprising a step of reproducing datawhose validity has been verified.
 127. The data processing methodaccording to claim 126, characterized by stopping reproductionprocessing when collation is not established in the collation processingon a contents check value.
 128. A contents data verification valueassignment method for contents data verification processing,characterized by generating a contents check value in units of contentsblock data to be verified included in the data, assigning the contentscheck value generated to contents data containing the contents blockdata to be verified.
 129. The contents data verification valueassignment method according to claim 128, characterized in that saidcontents check value is generated through encryption processing applyingthe contents check value generation key using the contents block data tobe checked as a message.
 130. The contents data verification valueassignment method according to claim 128, characterized in that saidcontents check value is generated by generating a contents intermediatevalue based on the contents block data to be verified and executingencryption processing applying said contents check value generation keyto said contents intermediate value.
 131. The contents data verificationvalue assignment method according to claim 128, characterized in thatsaid contents check value is generated by executing encryptionprocessing in CBC mode on the contents block data to be verified. 132.The contents data verification value assignment method according toclaim 131, characterized in that said encryption processingconfiguration in CBC mode is a configuration in which common keyencryption processing is applied a plurality of times only to part of amessage string to be processed.
 133. The contents data verificationvalue assignment method according to claim 128, characterized bygenerating, when the contents block data contains a plurality of partsand some parts included in said contents block data are to be verified,a contents check value based on the parts to be verified and assigningthe contents check value generated to contents data containing thecontent block data to be verified.
 134. The contents data verificationvalue assignment method according to claim 133, characterized bygenerating, when said contents block data contains a plurality of partsand it is one part that needs to be verified, a contents check value byexecuting encryption processing applying the contents check valuegeneration key to a value obtained by carrying out an exclusive-OR inunits of a predetermined number of bytes on the entire decryptedstatement obtained by decryption processing of parts to be verified inthe case where said parts to be verified is encrypted, generating acontents check value by executing encryption processing applying saidcontents check value generation key to a value obtained by carrying outan exclusive-OR in units of a predetermined number of bytes on saidentire part to be verified in the case where said parts to be verifiedis not encrypted and assigning the contents check value generated to thecontents data containing the contents block data to be verified. 135.The contents data verification value assignment method according toclaim 133, characterized by using, when said contents block datacontains a plurality of parts and it is a plurality of parts that needsto be verified, as a contents check value, the result obtained byexecuting encryption processing further applying said contents checkvalue generation key to link data of a parts check value obtained byexecuting encryption processing applying the contents check valuegeneration key to each part and assigning the contents check valuegenerated to contents data containing the contents block data to beverified.
 136. A program supply medium that supplies a computer programto execute data processing on contents data supplied via a recordingmedium or communication medium, said computer program comprising: a stepof generating a contents check value in units of contents block data tobe verified included in the data; and a step of executing collationprocessing on the contents check value generated and thereby executingverification processing on the validity in units of contents block datain said data.
 137. A data processing apparatus for executing processingfor generating storing data with respect to a recording device ofcontent data, which has a plurality of content blocks in which at leasta part of the blocks are encrypted and a header section storinginformation on the contents blocks, characterized in that: in the casein which content data to be an object of storage in said recordingdevice is structured by data stored in said header section, which is anencryption key data Kdis[Kcon] that is an encryption key Kcon of saidcontent block applied encryption processing by an encryption key Kdis,said data processing apparatus has a structure for executing processingfor taking out said encryption key data Kdis[Kcon] from said headersection and executing decryption processing to generate decryption dataKcon, generating a new encryption key data Kstr[Kcon] that is appliedencryption processing by an encryption key Kstr and storing the newencryption key data Kstr[Kcon] in the header section of said contentdata, and applying a different encryption key Kstr to the generateddecryption data Kcon to execute decryption processing.
 138. A dataprocessing apparatus for executing processing for generating storingdata with respect to a recording device of content data, which has aplurality of content blocks in which at least a part of the blocks areencrypted and a header section storing information on the contentsblocks, characterized in that: in the case in which said content blockincluded in content data to be an object of storage with respect to saidrecording device is composed of contents encrypted by an encryption keyKblc and encryption key data Kcon[Kblc] that is encrypted by theencryption key Kcon, and has a structure in which encryption key dataKdis[Kcon] that is the encryption key Kcon applied encryption processingby an encryption key Kdis is stored in said header section, said dataprocessing apparatus has a structure for executing processing for takingout said encryption key data Kdis[Kcon] from said header section andexecuting decryption processing to generate decryption data Kcon,generating a new encryption key data Kstr[Kcon] that is appliedencryption processing by an encryption key Kstr and storing theencryption key data Kstr[Kcon] in the header section of said contentdata, and applying a different encryption key Kstr to the generateddecryption data Kcon to execute decryption processing.
 139. A dataprocessing apparatus for executing processing for generating storingdata with respect to a recording device of content data, which has aplurality of content blocks in which at least a part of the blocks areencrypted and a header section storing information on the contentsblocks, characterized in that: in the case in which said content blockincluded in content data to be an object of storage with respect to saidrecording device is composed of contents encrypted by an encryption keyKblc and encryption key data Kdis[Kblc] that is encrypted by theencryption key Kdis, said data processing apparatus has a structure forexecuting processing for taking out said encryption key data Kdis[Kblc]from said content block section and executing decryption processing ofthe encryption key Kblc to generate decryption data Kblc, generating anencryption key data Kstr[Kblc] that is applied encryption processing byan encryption key Kstr and storing the encryption key data Kstr[Kblc] ina contents block section, and applying a different encryption key Kstrto the generated decryption data Kblc to execute decryption processing.140. A content data generating method for generating content data,comprising: coupling a plurality of content blocks composed of dataincluding at least any one of voice information, image information andprogram data; applying encryption processing to at least a part ofcontent blocks included in said plurality of content blocks by anencryption key Kcon; generating encryption key data Kdis[Kcon] that issaid encryption key Kcon applied encryption processing by an encryptionkey Kdis and storing the encryption key Kdis in a header section of saidcontent data; and generating content data including said plurality ofcontent blocks and the header section.
 141. The content data generatingmethod according to claim 140, characterized in that said content datagenerating method further comprises processing of: generating blockinformation that stores information including; identificationinformation on content data; usage policy information including a datalength of the content data and a data type of the content data; andinformation including a data length of said content block and presenceor absence of encryption processing, and storing the information in saidheader section.
 142. The content data generating method according toclaim 140, characterized in that said content data generating methodfurther comprises processing of: generating a part check value based ona part of information composing said header section and storing the partcheck value in said header section; and generating a total check valuebased on said part check value and storing the total check value in saidheader section.
 143. The content data generating method according toclaim 142, characterized in that generation processing of said partcheck value and generation processing of said total check value areexecuted by applying a DES encryption processing algorithm with data tobe an object of check as a message and a check value generation key asan encryption key.
 144. The content data generating method according toclaim 141, characterized in that said content data generating methodfurther comprises: applying encryption processing to said blockinformation by the encryption key Kbit and storing the encryption keydata Kdis[Kbit] that is the encryption key Kbit generated by theencryption key Kdis in said header section.
 145. The content datagenerating method according to claim 140, characterized in that eachblock of a plurality of blocks in said content block is generated as acommon fixed data length.
 146. The content data generating methodaccording to claim 140, characterized in that each block of a pluralityof blocks in said content block is generated as a configuration in whichan encryption data section and a non-encryption data section arearranged regularly.
 147. A content data generating method for generatingcontent data comprising: coupling a plurality of content blocksincluding at least any one of voice information, image information andprogram data; composing at least a part of the plurality of contentblocks by an encryption data section that is data including at least anyone of voice information, image information and program data by anencryption key Kblc, and a set of encryption key data Kcon[Kblc] that isthe encryption key Kblc of the encryption data section appliedencryption processing by an encryption key Kcon; generating encryptionkey data Kdis[Kcon] that is the encryption key Kcon applied encryptionprocessing by an encryption key Kdis and storing the generated theencryption key data Kdis[Kcon] in a header section of said content data;and generating content data including a plurality of content blocks anda header section.
 148. A content data generating method for generatingcontent data comprising: coupling a plurality of content blocksincluding at least any one of voice information, image information andprogram data; composing at least a part of the plurality of contentblocks by an encryption data section that is data including at least anyone of voice information, image information and program data by anencryption key Kblc, and a set of encryption key data Kdis[Kblc] that isthe encryption key Kblc of the encryption data section appliedencryption processing by an encryption key Kdis; and generating contentdata including a plurality of content blocks and a header section. 149.A data processing method for executing processing for storing in arecording device of content data having a plurality of content blocks inwhich at least a part of blocks are encrypted, and a header section inwhich information on the content blocks is stored, comprising: in thecase in which content data to be an object of storage in said recordingdevice is structured by data stored in said header section, which is anencryption key data Kdis[Kcon] that is an encryption key Kcon of saidcontent block applied encryption processing by an encryption key Kdis,taking out said encryption key data Kdis[Kcon] from said header sectionand executing decryption processing to generate decryption data Kcon;generating a new encryption key data Kstr[Kcon] that is appliedencryption processing by an encryption key Kstr by applying a differentencryption key Kstr to the generated decryption data Kcon to executeencryption processing; and storing said generated encryption key dataKstr[Kcon] in a header section of said content data, and storing theheader section in said recording device together with said plurality ofcontent blocks.
 150. A data processing method for executing processingfor storing in a recording device of content data having a plurality ofcontent blocks in which at least a part of blocks are encrypted, and aheader section in which information on the content blocks is stored,comprising: in the case in which said content block included in contentdata to be an object of storage with respect to said recording device iscomposed of contents encrypted by an encryption key Kblc and encryptionkey data Kcon[Kblc] that is encrypted by the encryption key Kcon, andhas a structure in which encryption key data Kdis[Kcon] that is theencryption key Kcon applied encryption processing by an encryption keyKdis is stored in said header section, taking out said encryption keydata Kdis[Kcon] from said header section and executing decryptionprocessing to generate decryption data Kcon; generating a new encryptionkey data Kstr[Kcon] that is applied encryption processing by anencryption key Kstr by applying a different encryption key Kstr to thegenerated decryption data Kcon to execute encryption processing; andstoring said generated encryption key data Kstr[Kcon] in a headersection of said content data, and storing the header section in saidrecording device together with said plurality of content blocks.
 151. Adata processing method for executing processing for storing in arecording device of content data having a plurality of content blocks inwhich at least a part of blocks are encrypted, and a header section inwhich information on the content blocks is stored, comprising: in thecase in which said content block included in content data to be anobject of storage with respect to said recording device is composed ofcontents encrypted by an encryption key Kblc and encryption key dataKdis[Kblc] that is encrypted by the encryption key Kdis, taking out saidencryption key data Kdis[Kblc] from said content block section andexecuting decryption processing of the encryption key Kblc to generatedecryption data Kblc; generating an encryption key data Kstr[Kblc] thatis applied encryption processing by an encryption key Kstr by applying adifferent encryption key Kstr to the generated decryption data Kblc toexecute encryption processing; and storing said generated encryption keydata Kstr[Kblc] in a content block section, and storing the contentblock section in said recording device together with said plurality ofcontent blocks.
 152. A program providing medium for providing a computerprogram causing generation processing of storing data with respect to arecording device of content data, which has a plurality of contentblocks in which at least a part of the blocks are encrypted and a headersection storing information on the contents blocks, to be executed on acomputer system, characterized in that: said computer program comprises:in the case in which content data to be an object of storage in saidrecording device is structured by data stored in said header section,which is an encryption key data Kdis[Kcon] that is an encryption keyKcon of said content block applied encryption processing by anencryption key Kdis, a step of taking out said encryption key dataKdis[Kcon] from said header section and executing decryption processingto generate decryption data Kcon; generating a new encryption key dataKstr[Kcon] that is applied encryption processing by an encryption keyKstr by applying a different encryption key Kstr to the generateddecryption data Kcon to execute encryption processing; and storing saidgenerated encryption key data Kstr[Kcon] in a header section of saidcontent data.
 153. A data processing apparatus for performingreproduction processing of content data provided by a storage medium ora communication medium, characterized by comprising: a content dataanalyzing section for executing content data analysis of content dataincluding compressed contents and an expansion processing program ofsaid compressed contents, and executing extraction processing of thecompressed contents and the expansion processing program from saidcontent data; and an expansion processing section for executingexpansion processing of the content data included in said content datausing an expansion processing program included in the content dataobtained as a result of the analysis of said content data analyzingsection.
 154. The data processing apparatus according to claim 153,characterized by further comprising: a data storing section for storingthe compressed contents that are extracted by said content dataanalyzing section; and a program storing section for storing theexpansion processing program extracted by said content data analyzingsection, and characterized in that said expansion processing section hasa configuration for executing expansion processing with respect to thecompressed contents stored in said data storing section by applying theexpansion processing program stored in said program storing section tothe compressed contents.
 155. The data processing apparatus according toclaim 153, characterized in that said contents data analyzing sectionhas a configuration for obtaining a configuration information of contentdata based on header information included in said content data andperforming analysis of the content data.
 156. The data processingapparatus according to claim 155, characterized in that reproductionpriority information of the compressed contents is included in saidheader information and, if there are a plurality of compressed contentsthat is objects of expansion processing in said expansion processingsection, said expansion processing section has a configuration forsequentially executing content expansion processing in accordance withthe priority based on the priority information in the header informationobtained in said content data analyzing section.
 157. The dataprocessing apparatus according to claim 153, characterized by furthercomprising: displaying means for displaying information of thecompressed contents that are objects of expansion processing; andinputting means for inputting reproduction contents identification dataselected from the content information displayed on said displayingmeans, and characterized in that said expansion processing section has aconfiguration for executing expansion processing of the compressedcontents corresponding to the identification data based on thereproduction contents identification data inputted from said inputtingmeans.
 158. A data processing apparatus for performing reproductionprocessing of content data provided by a storage medium or acommunication medium, characterized by comprising: a content dataanalyzing section for receiving content data including either compressedcontents or expansion processing program, distinguishing whether thecontent data has the compressed contents or the expansion processingprogram from header information included in the received content dataand, at the same time, if the content data has the compressed contents,obtaining a type of a compressing processing program applied to thecompressed contents from the header information of the content data, andif the content data has the expansion processing program, obtaining atype of the expansion processing program from the header information ofthe content data; an expansion processing section for executingexpansion processing of the compressed contents, characterized in thatsaid expansion processing section has a configuration for selecting anexpansion processing program applicable to the type of the compressionprocessing program of the compressed contents analyzed by said contentdata analyzing section based on the type of the expansion processingprogram analyzed by said content data analyzing section, and executingexpansion processing by the selected expansion processing program. 159.The data processing apparatus according to claim 158, characterized byfurther comprising: a data storing section for storing the compressedcontents that are extracted by said content data analyzing section; anda program storing section for storing the expansion processing programextracted by said content data analyzing section, and characterized inthat said expansion processing section has a configuration for executingexpansion processing with respect to the compressed contents stored insaid data storing section by applying the expansion processing programstored in said program storing section to the compressed contents. 160.The data processing apparatus according to claim 158, characterized inthat reproduction priority information of the compressed contents isincluded in said header information and, if there are a plurality ofcompressed contents that is objects of expansion processing, contentexpansion processing in said expansion processing section has aconfiguration for sequentially executing content expansion processing inaccordance with the priority based on the priority information in theheader information obtained in said content data analyzing section. 161.The data processing apparatus according to claim 158, characterized byfurther comprising retrieving means for retrieving an expansionprocessing program, and characterized in that said retrieving means hasa configuration for retrieving an expansion processing programapplicable to a type of the compression processing program of thecompressed contents analyzed by said content data analyzing section withprogram storing means accessible by said data processing apparatus as anobject of retrieval.
 162. The data processing apparatus according toclaim 158, characterized by further comprising: displaying means fordisplaying information of the compressed contents that are objects ofexpansion processing; and inputting means for inputting reproductioncontents identification data selected from the content informationdisplayed on said displaying means, and characterized in that saidexpansion processing section has a configuration for executing expansionprocessing of the compressed contents corresponding to theidentification data based on the reproduction contents identificationdata inputted from said inputting means.
 163. A data processing methodfor performing reproduction processing of content data provided by astorage medium or a communication medium, characterized by comprising: acontent data analyzing step of executing content data analysis ofcontent data including compressed contents and an expansion processingprogram of said compressed contents, and executing extraction processingof the compressed contents and the expansion processing program fromsaid content data; and an expansion processing step of executingexpansion processing of the compressed content included in said contentdata using an expansion processing program included in the content dataobtained as a result of the analysis of said content data analyzingstep.
 164. The data processing method according to claim 163,characterized by further comprising: a data storing step of storing thecompressed contents that are extracted by said content data analyzingstep; and a program storing step of storing the expansion processingprogram extracted by said content data analyzing section, andcharacterized in that said expansion processing section has aconfiguration for executing expansion processing with respect to thecompressed contents stored in said data storing step by applying theexpansion processing program stored in said program storing step to thecompressed contents.
 165. The data processing method according to claim163, characterized in that said contents data analyzing step obtains aconfiguration information of content data based on header informationincluded in said content data and performs analysis of the content data.166. The data processing method according to claim 165, characterized inthat reproduction priority information of the compressed contents isincluded in said header information and, if there are a plurality ofcompressed contents that is objects of expansion processing in saidexpansion processing section, said expansion processing stepsequentially executes content expansion processing in accordance withthe priority based on the priority information in the header informationobtained in said content data analyzing step.
 167. The data processingmethod according to claim 163, characterized by further comprising:displaying step of displaying information of the compressed contentsthat are objects of expansion processing on displaying means; andinputting step of inputting reproduction contents identification dataselected from the content information displayed on said displayingmeans, and characterized in that said expansion processing step executesexpansion processing of the compressed contents corresponding to theidentification data based on the reproduction contents identificationdata inputted from said inputting step.
 168. A data processing methodfor performing reproduction processing of content data provided by astorage medium or a communication medium, characterized by comprising: acontent data analyzing step of receiving content data including eithercompressed contents or expansion processing program, distinguishingwhether the content data has the compressed contents or the expansionprocessing program from header information included in the receivedcontent data and, at the same time, if the content data has thecompressed contents, obtaining a type of a compressing processingprogram applied to the compressed contents from the header informationof the content data, and if the content data has the expansionprocessing program, obtaining a type of the expansion processing programfrom the header information of the content data; a selecting step ofselecting an expansion processing program applicable to the type of thecompression processing program of the compressed contents analyzed insaid content data analyzing step based on the type of the expansionprocessing program analyzed in said content data analyzing step; and anexpansion processing step of executing expansion processing by theexpansion processing program selected in said selecting step.
 169. Thedata processing method according to claim 168, characterized by furthercomprising: a data storing step of storing the compressed contents thatare extracted by said content data analyzing section; and a programstoring step of storing the expansion processing program extracted bysaid content data analyzing section, and characterized in that saidexpansion processing step executes expansion processing with respect tothe compressed contents stored in said data storing step by applying theexpansion processing program stored in said program storing step to thecompressed contents.
 170. The data processing method according to claim168, characterized in that reproduction priority information of thecompressed contents is included in said header information and, if thereare a plurality of compressed contents that is objects of expansionprocessing, said content expansion processing step sequentially executescontent expansion processing in accordance with the priority based onthe priority information in the header information obtained in saidcontent data analyzing step.
 171. The data processing method accordingto claim 168, characterized by comprising a retrieving step ofretrieving an expansion processing program, and characterized in thatsaid retrieving step retrieves an expansion processing programapplicable to a type of the compression processing program of thecompressed contents analyzed in said content data analyzing step withprogram storing means accessible by said data processing apparatus as anobject of retrieval.
 172. The data processing method according to claim168, characterized by further comprising: a displaying step ofdisplaying on displaying means information of the compressed contentsthat are objects of expansion processing; and an inputting step ofinputting reproduction contents identification data selected from thecontent information displayed on said displaying means, andcharacterized in that said expansion processing step executes expansionprocessing of the compressed contents corresponding to theidentification data based on the reproduction contents identificationdata inputted from said inputting means.
 173. A content data generatingmethod for performing generation processing of content data provided bya storage medium or a communication medium, characterized by generatingcontent data in which compressed contents and an expansion processingprogram of the compressed contents are combined.
 174. The content datagenerating method according to claim 173, characterized in that aconfiguration information of the content data is added as headerinformation of said content data.
 175. The content data generatingmethod according to claim 173, characterized in that reproductionpriority information of contents included in the content data as headerinformation of the content data.
 176. A content data generating methodfor performing generation processing of content data provided by astorage medium or a communication medium, characterized in that contentdata is generated in which a type of content data for identifyingwhether the content data has compressed contents or an expansionprocessing program is added as header information; if the content datahas compressed contents, a type of a compression processing programapplied to the compressed contents is added as header information; andif the content data has an expansion processing program, a type of anexpansion processing program is added as header information.
 177. Thecontent data generating method according to claim 176, characterized inthat reproduction priority information of contents included in thecontent data is added as header information of said content data.
 178. Aprogram providing medium for providing a computer program that causes acomputer system to execute reproduction processing of content dataprovided by a storage medium or a communication medium, characterized bycomprising: a content data analyzing step of executing content dataanalysis of content data including compressed contents and an expansionprocessing program of said compressed contents, and executing extractionprocessing of the compressed contents and the expansion processingprogram from said content data; and an expansion processing step ofexecuting expansion processing of the content data included in saidcontent data using an expansion processing program included in thecontent data obtained as a result of the analysis of said content dataanalyzing section.